[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Firewall Stuff

To: "Sheflug" <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Re: Firewall Stuff
From: "Alex Hudson" <nospam [at] alexhudson.com>
Date: Sun, 7 Jan 2001 16:27:30 -0000
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz

> Alex Hudson wrote:
>
> > cat /etc/services | grep 'thing-to-search-for'
> >
> > i.e., www, ftp, ssh, etc...
> >
> > > ipchains -A input -s 0/0 3128 -j accept
>
>
> I've been able to get the internal LAN to ping itself with the
> firewall running and connected to my ISP.  Couldn't do that before.
> But, pinging my ISP reveals that there's nothing there.  Tried lots
> of.....
>
> ipchains -A input -s 0/0 80 -j accept
>
> also on ports 110, 25 and 21 which is ftp and still can't get through
> to my ISP after that. Also tried port 53 in the hope that might work.
> Nothing.  If I change the bit at the top of the file to ACCEPT from
> DENY it works fine but I can't see that the firewall will work in the
> way that it should if I do that.

Packets go both ways, i.e. there will be packets from 192.168.0.0/24
[somehighnum] -> 0/0 80. Your rule does not allow that. ipchains -A input -s
192.168.0.0/24 -d 0/0 80 -i eth0 -j accept does the trick (as well as any
forwarding and outputing rule you might need).

To be honest, forget the port filtering, it's a crock on a home machine.
Disallow connections to the gateway (via ! -y), and maybe some spoofy-things
(i.e., no local ips forwarded from outside, even though this won't make any
difference on a dial up), but that's all you need to do. Having an ACCEPT
policy on a home gateway is not all that much of a problem, because you're
not hosting any outside-accessible services or a DMZ behind the gateway, so
you can just block off all incoming connections. The only people who are
then going to be able to get in are people who really know what they're
doing (i.e., have broken the ISP wide already), who aren't worth worrying
about because a) they're not interested in your dial up machine, and b) it's
unlikely anything else you'd be able to do would protect yourself either.
The other way of getting in is utilising a known bug in the OS. So, keep
your kernel up to date if that causes you sleepless nights.

Anything more protective than dropping incoming connections is pretty
paranoid, and probably more effort than it's worth...

Cheers,

Alex.

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- [Sheflug] Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>
- Re: [Sheflug] Firewall Stuff
  - From: Richard Lowe <richlowe [at] btinternet.com>
- [Sheflug] Re: Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>
- Re: [Sheflug] Re: Firewall Stuff
  - From: "Alex Hudson" <home [at] alexhudson.com>
- [Sheflug] Re: Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>

Prev by Date: [Sheflug] Re: Firewall Stuff
Next by Date: Re: [Sheflug] Re: Firewall Stuff
Prev by thread: [Sheflug] Re: Firewall Stuff
Next by thread: Re: [Sheflug] Re: Firewall Stuff
Index(es):
- Date
- Thread