[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Firewall stuff
------- Forwarded message follows -------
From: "Martyn Ranyard" <ranyardm [at] lineone.net>
To: <wylug-discuss [at] wylug.org.uk>
Subject: [Wylug-discuss] Firewall stuff
Date sent: Wed, 6 Dec 2000 13:24:32 -0000
[ Double-click this line for list subscription options ]
Following the recent thread(s?)�on firewalling, I thought this might
come in useful to anyone thinking of having one.
�
I recently found out that slackware's default configuration is allow
all for incoming connections.� This for a multi-use firewall box isn't
a brilliant state of affairs, as if you want some files available to the
internal lan, they are automatically shared via the external net as
well.� Well, I found a way of getting a nice secure box - no Anon
FTP attempts from outside will work for example, with about 4 lines
in the hosts.* files and thought I'd share it for those who don't know
about them.� This also closes off the various SMB/NFS security
holes from the outside world, so you can export filesystems on the
firewall for easy configuration without having any editors etc. on the
firewall!
�
In /etc/hosts.deny I now have :
�
ALL: ALL
�
This is a nice starting point!� Noone can access the server at all!
�
Then in /etc/hosts.allow I have the following :
�
ALL: LOCAL
ALL: 10.0.0.
in.identd: ALL
�
I also installed nullidentd as I use IRC quite a bit, and sometimes
have recourse to enter that hellmouth known as #linux.� My internal
network is on 10.0.0.x, and I now have a very secure server, which,
unless someone can fake their IP to be 127.0.0.x or 10.0.0.x from
the internet, pointing at our fast-changing IP (DHCP on ISDN) then
noone can access the machine at all from the internet.� Obviously,
if your internal net is 192.168.x.x or 172.16.x.x then you'd change
the line from 10.0.0. to whichever.� The trailing period (.) is
necessary for the line to match IPs that start with 10.0.0, you can
also place host names in the files, and partial host names, for eg. if
you have a customer with 5 IPs, using the domain
mycustomer.co.uk you can allow them certain or all access, either
with a in.daemonname: clause or an ALL: clause in the hosts.allow
file like such :
�
ALL: .mycustomer.co.uk
�
and then if they log on from gateway1.mycustomer.co.uk, then
they are granted access. Note the preceeding period, indicating a
partial domain.
�
Anyway, now I'm just burbling, but this is a very good setup for
people on dialup / dhcp, as you never want to be accessed from
the outside.� I'll shut up now.
�
�
Martyn
-
martyn@theendofhistether.org.uk
�
P.S. I don't know if this should be cross-posted to the sheflug
mailing list, as I don't know if they have multiple lists etc.� If the
sheflugger(s) on this list feel it's appropriate, feel free to cross-post
it.
------- End of forwarded message -------
Rob Speed,
Systems Analyst/Programmer.
Vickers Laboratories Ltd.
Grangefield Industrial Estate, Pudsey, Leeds LS28 6QW
Switchboard: +44 (0)113 236 2811 Fax: +44 (0)113 236 2703
All opinions are my own and ! Vickers.
< Press space once to quit, or twice to save entire work >
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.