[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Sheflug] Firewall stuff
Sounds like this is just relying on TCP Wrappers. No mention of ipchains, or
of
shutting down services....
MMmmm.
Baz.
>===== Original Message From "Sheflug" <sheflug [at] vuw.ac.nz> =====
>------- Forwarded message follows -------
>From: "Martyn Ranyard" <ranyardm [at] lineone.net>
>To: <wylug-discuss [at] wylug.org.uk>
>Subject: [Wylug-discuss] Firewall stuff
>Date sent: Wed, 6 Dec 2000 13:24:32 -0000
>
>[ Double-click this line for list subscription options ]
>
>Following the recent thread(s?)on firewalling, I thought this might
>come in useful to anyone thinking of having one.
>
>I recently found out that slackware's default configuration is allow
>all for incoming connections. This for a multi-use firewall box isn't
>a brilliant state of affairs, as if you want some files available to the
>internal lan, they are automatically shared via the external net as
>well. Well, I found a way of getting a nice secure box - no Anon
>FTP attempts from outside will work for example, with about 4 lines
>in the hosts.* files and thought I'd share it for those who don't know
>about them. This also closes off the various SMB/NFS security
>holes from the outside world, so you can export filesystems on the
>firewall for easy configuration without having any editors etc. on the
>firewall!
>
>In /etc/hosts.deny I now have :
>
>ALL: ALL
>
>This is a nice starting point! Noone can access the server at all!
>
>Then in /etc/hosts.allow I have the following :
>
>ALL: LOCAL
>ALL: 10.0.0.
>in.identd: ALL
>
>I also installed nullidentd as I use IRC quite a bit, and sometimes
>have recourse to enter that hellmouth known as #linux. My internal
>network is on 10.0.0.x, and I now have a very secure server, which,
>unless someone can fake their IP to be 127.0.0.x or 10.0.0.x from
>the internet, pointing at our fast-changing IP (DHCP on ISDN) then
>noone can access the machine at all from the internet. Obviously,
>if your internal net is 192.168.x.x or 172.16.x.x then you'd change
>the line from 10.0.0. to whichever. The trailing period (.) is
>necessary for the line to match IPs that start with 10.0.0, you can
>also place host names in the files, and partial host names, for eg. if
>you have a customer with 5 IPs, using the domain
>mycustomer.co.uk you can allow them certain or all access, either
>with a in.daemonname: clause or an ALL: clause in the hosts.allow
>file like such :
>
>ALL: .mycustomer.co.uk
>
>and then if they log on from gateway1.mycustomer.co.uk, then
>they are granted access. Note the preceeding period, indicating a
>partial domain.
>
>Anyway, now I'm just burbling, but this is a very good setup for
>people on dialup / dhcp, as you never want to be accessed from
>the outside. I'll shut up now.
>
>
>Martyn
>-
>martyn [at] theendofhistether.org.uk
>
>P.S. I don't know if this should be cross-posted to the sheflug
>mailing list, as I don't know if they have multiple lists etc. If the
>sheflugger(s) on this list feel it's appropriate, feel free to cross-post
>it.
>------- End of forwarded message -------
>
>Rob Speed,
>Systems Analyst/Programmer.
>Vickers Laboratories Ltd.
>Grangefield Industrial Estate, Pudsey, Leeds LS28 6QW
>Switchboard: +44 (0)113 236 2811 Fax: +44 (0)113 236 2703
>
>All opinions are my own and ! Vickers.
>< Press space once to quit, or twice to save entire work >
>---------------------------------------------------------------------
>Sheffield Linux User's Group - http://www.sheflug.co.uk
>To unsubscribe from this list send mail to
>- <sheflug-request [at] vuw.ac.nz> - with the word
> "unsubscribe" in the body of the message.
>
> GNU the choice of a complete generation.
----
Barrie J. Bremner
Email: TheEnglishman [at] ecosse.net
(PGP key available at my website)
URL: http://www.geocities.com/thefatenglishman
Telephone: UK 01672 811246
Mobile: UK 07968 792975
The answer to your question is....Welcome to Tomorrow!
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.