Hello

On Sat, Sep 13, 2008 at 11:36:13PM +0200, pk wrote:
> I am using shorewall on my local computer (the same I'm surfing the web
> with). My skills with iptables are not really good and my understanding of
> networking also has some holes in it... However, I'm trying to prevent
> firefox from accessing a third party site; I'm logging onto a site with
> firefox. With netstat I can see that besides the usual ip address belonging
> to the site another ip-address (not belonging to the original site) shows
> up. While trying to block the additional ip address with both "iptables -A
> INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d xxxx -j DROP" it still
> sends a SYN request to this site. This makes firefox just sit there waiting
> for a time-out. How can I prevent firefox from accessing the other site,
> while still accessing the original one?

If I let aside it is quite odd it would have accessed two sites at once
(either a virus/cracked computer or one is just closed, or maybe just an
external image), using DROP is plain wrong. You should REJECT (or it is
reject, I'm not sure about the case) the packets (at output in this
case).

DROP causes the packet to get blackholed without a trace. It sometimes
happens to packets on internet so it is usual to try again and again
until it succeeds or timeout (usually in tens of seconds) is reached.

If you reject it (either with port or destination unreachable or even
with "administratively filtered"), the other side knows it has no reason
to try again and reports failure right away and saves the traffic and
resources by not trying.

Some people say drop does not show you exist but reject does. That is
wrong too, destination unreachable means "There is no such machine with
this IP", so it should hide the whole machine better than drop (if I
send packets and no errors nor responses come, I suspect a firewall as
well as malfunction).

Does this help?

Have a nice help

--
BOFH Excuse #452:
Somebody ran the operating system through a spelling checker.

Michal 'vorner' Vaner

Michal 'vorner' Vaner wrote:

DROP causes the packet to get blackholed without a trace. It sometimes
happens to packets on internet so it is usual to try again and again
until it succeeds or timeout (usually in tens of seconds) is reached.


That was the intention. The site in question is my banks site. And they
have a marketing survey company linked to their site which I want to
hide from. If I want to use the banks internet services, which I pay
for, I don't want third parties to snoop on my activities...


I read somewhere that the default timeout for a SYN request is 2 minutes.


Does this help?


I tried doing what you suggested:

iptables -A OUTPUT/INPUT -m iprange --src-range
66.235.128.0-66.235.159.255 -j REJECT


iptables -A OUTPUT/INPUT -m iprange --dst-range
66.235.128.0-66.235.159.255 -j REJECT


This should REJECT from both ends, no? But netstat says the connection
is established anyway...


With DROP it worked for the first page (it never showed up as SYN_SENT).
But when I logged (with DROP) in there would still be a SYN_SENT on port
443 (SSL) and firefox would wait for timeout.



Have a nice help


Thanks!

FYI, I tried using a firefox extension called Siteblock but it doesn't
work for "third party" access, only direct, it seems...


Best regards

Peter K

On 2008-09-14, pk <peterk2@coolmail.se> wrote:
> Michal 'vorner' Vaner wrote:

>> DROP causes the packet to get blackholed without a trace. It
>> sometimes happens to packets on internet so it is usual to try
>> again and again until it succeeds or timeout (usually in tens
>> of seconds) is reached.
>
> That was the intention. The site in question is my banks site.
> And they have a marketing survey company linked to their site
> which I want to hide from. If I want to use the banks internet
> services, which I pay for, I don't want third parties to snoop
> on my activities...

Sounds like you ought to find a bank that provides decent web
service.

--
Grant

On Sunday 14 September 2008 11:04:47 pk wrote:
> That was the intention. The site in question is my banks site. And they
> have a marketing survey company linked to their site which I want to
> hide from. If I want to use the banks internet services, which I pay
> for, I don't want third parties to snoop on my activities...

OK. Now that we know the real problem, we can give you the real solution.

Change your bank.

I'm not kidding, you shouldn't have to put up with that shit.

--
alan dot mckinnon at gmail dot com

On 2008-09-14, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Sunday 14 September 2008 11:04:47 pk wrote:
>
>> That was the intention. The site in question is my banks site.
>> And they have a marketing survey company linked to their site
>> which I want to hide from. If I want to use the banks internet
>> services, which I pay for, I don't want third parties to snoop
>> on my activities...
>
> OK. Now that we know the real problem, we can give you the real solution.
>
> Change your bank.

And write polite letter to a couple bank executives (yes, on
paper, in an envelope, with a stamp on it) explaining why. It
won't take very many such letters before they straighten things
out. Don't bother complaining via e-mail. It'll only be seen
by some poor wage-slave who doesn't care and couldn't do
anything about it if he did. Telephoning will probably be even
less useful (unless you want to know what the weather is like
in Mumbai or Bangalore).

> I'm not kidding, you shouldn't have to put up with that shit.

Not at all.

--
Grant