[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Firewalls and port scanners



> It's a good start but not brilliant - what you want is someone outside to use 
> a program like nmap to portscan your entire machine :)

Quite. Who do I trust enough to give my IP to...

> 
> > 
> > As I do not wish to have any publicly open ports at this time, would
> > blanket-rejecting anything on ppp-in be acceptable?
> > 
> No. This may be fine for TCP, to a point (FTP will be your problem), but UDP 
> needs some open ports depending on what you use (DNS needs 53, ICQ needs 4000 
> and some extra config depending on what your doing, Real-player needs a UDP 
> port open as well)...it depends on your application.

I have discovered this. After sending the message, I thought, what the
hell, and did it anyway. Nothing comes in, nothing goes out. waste of time
really :-)

> 
> What I have open, that you may find useful:
> Proto   Chain    Source          Destination              Iface
> -----   -------  --------------- ----------------------   -----
> icmp    input    0/0             0/0                      ppp0
> tcp     input    0/0             0/0:icq-low:icq-high     ppp0    
> tcp     input    0/0:ftp-data    0/0                      ppp0    
> udp     input    0/0:domain      0/0                      ppp0    
> udp     input    0/0:icq-serv    0/0                      ppp0    
> udp     input    0/0             0/0:real-player          ppp0    
> 

Yes, I'll put these in and see if thats better than what I have got
(currently all ports 1023 up are open (aaagh!) so it has to be better
really ;-)

> This is pretty liberal - and it could be tightened up more, but its 
> sufficeient for me.

I have only one box, with a modem. This should be fine for my uses.

> I've got a script that processes a rules file...I got fedup trying to 
> remember the ipchains and ipmasqadm command lines, so wrote an rc script to 
> read a config file with all the rules in. Works quite nicely for me :)

It seems that gfcc does exactly this, but lets you mess with the rules
file with a GUI. OK for beginners and lazy people :)

Cheers,

Craig

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.