[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Firewalls and port scanners
> It's a good start but not brilliant - what you want is someone outside to use
> a program like nmap to portscan your entire machine :)
Quite. Who do I trust enough to give my IP to...
>
> >
> > As I do not wish to have any publicly open ports at this time, would
> > blanket-rejecting anything on ppp-in be acceptable?
> >
> No. This may be fine for TCP, to a point (FTP will be your problem), but UDP
> needs some open ports depending on what you use (DNS needs 53, ICQ needs 4000
> and some extra config depending on what your doing, Real-player needs a UDP
> port open as well)...it depends on your application.
I have discovered this. After sending the message, I thought, what the
hell, and did it anyway. Nothing comes in, nothing goes out. waste of time
really :-)
>
> What I have open, that you may find useful:
> Proto Chain Source Destination Iface
> ----- ------- --------------- ---------------------- -----
> icmp input 0/0 0/0 ppp0
> tcp input 0/0 0/0:icq-low:icq-high ppp0
> tcp input 0/0:ftp-data 0/0 ppp0
> udp input 0/0:domain 0/0 ppp0
> udp input 0/0:icq-serv 0/0 ppp0
> udp input 0/0 0/0:real-player ppp0
>
Yes, I'll put these in and see if thats better than what I have got
(currently all ports 1023 up are open (aaagh!) so it has to be better
really ;-)
> This is pretty liberal - and it could be tightened up more, but its
> sufficeient for me.
I have only one box, with a modem. This should be fine for my uses.
> I've got a script that processes a rules file...I got fedup trying to
> remember the ipchains and ipmasqadm command lines, so wrote an rc script to
> read a config file with all the rules in. Works quite nicely for me :)
It seems that gfcc does exactly this, but lets you mess with the rules
file with a GUI. OK for beginners and lazy people :)
Cheers,
Craig
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.