[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Firewalls and port scanners

To: Sheflug <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Firewalls and port scanners
From: Craig Andrews <nospam [at] fishbot.org.uk>
Date: Sun, 1 Oct 2000 15:26:09 +0100 (BST)
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz

> It's a good start but not brilliant - what you want is someone outside to use 
> a program like nmap to portscan your entire machine :)

Quite. Who do I trust enough to give my IP to...

> 
> > 
> > As I do not wish to have any publicly open ports at this time, would
> > blanket-rejecting anything on ppp-in be acceptable?
> > 
> No. This may be fine for TCP, to a point (FTP will be your problem), but UDP 
> needs some open ports depending on what you use (DNS needs 53, ICQ needs 4000 
> and some extra config depending on what your doing, Real-player needs a UDP 
> port open as well)...it depends on your application.

I have discovered this. After sending the message, I thought, what the
hell, and did it anyway. Nothing comes in, nothing goes out. waste of time
really :-)

> 
> What I have open, that you may find useful:
> Proto   Chain    Source          Destination              Iface
> -----   -------  --------------- ----------------------   -----
> icmp    input    0/0             0/0                      ppp0
> tcp     input    0/0             0/0:icq-low:icq-high     ppp0    
> tcp     input    0/0:ftp-data    0/0                      ppp0    
> udp     input    0/0:domain      0/0                      ppp0    
> udp     input    0/0:icq-serv    0/0                      ppp0    
> udp     input    0/0             0/0:real-player          ppp0    
> 

Yes, I'll put these in and see if thats better than what I have got
(currently all ports 1023 up are open (aaagh!) so it has to be better
really ;-)

> This is pretty liberal - and it could be tightened up more, but its 
> sufficeient for me.

I have only one box, with a modem. This should be fine for my uses.

> I've got a script that processes a rules file...I got fedup trying to 
> remember the ipchains and ipmasqadm command lines, so wrote an rc script to 
> read a config file with all the rules in. Works quite nicely for me :)

It seems that gfcc does exactly this, but lets you mess with the rules
file with a GUI. OK for beginners and lazy people :)

Cheers,

Craig

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] Firewalls and port scanners
  - From: Ross <ross.h [at] ntlworld.com>

References:
- Re: [Sheflug] Firewalls and port scanners
  - From: "Chris J/#6" <sixie [at] nccnet.co.uk>

Prev by Date: Re: [Sheflug] Firewalls and port scanners
Next by Date: [Sheflug] Re: Failed IT Project
Prev by thread: Re: [Sheflug] Firewalls and port scanners
Next by thread: Re: [Sheflug] Firewalls and port scanners
Index(es):
- Date
- Thread