[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Firewalls and port scanners
> Hi all,
>
> I have been messing around with ipchains to make a simple firewall for
> internet use. I have used shields-up! at www.grc.com, but I vaguely
> remember some talk about alternative, more generic (shields up is
> intended to test windows machines primarily. It has a lot of NetBIOS stuff
> there) port scanners.
It's a good start but not brilliant - what you want is someone outside to use
a program like nmap to portscan your entire machine :)
>
> As I do not wish to have any publicly open ports at this time, would
> blanket-rejecting anything on ppp-in be acceptable?
>
No. This may be fine for TCP, to a point (FTP will be your problem), but UDP
needs some open ports depending on what you use (DNS needs 53, ICQ needs 4000
and some extra config depending on what your doing, Real-player needs a UDP
port open as well)...it depends on your application.
What I have open, that you may find useful:
Proto Chain Source Destination Iface
----- ------- --------------- ---------------------- -----
icmp input 0/0 0/0 ppp0
tcp input 0/0 0/0:icq-low:icq-high ppp0
tcp input 0/0:ftp-data 0/0 ppp0
udp input 0/0:domain 0/0 ppp0
udp input 0/0:icq-serv 0/0 ppp0
udp input 0/0 0/0:real-player ppp0
Notes: icq-low, icq-high, and icq-serv are custom defined by me in
/etc/services...icq-low and icq-high are thte ports I have defined in licq
that it should use. icq-serv is defined as port 4000. The ftp-data entry is
so I FTP works.
This is pretty liberal - and it could be tightened up more, but its
sufficeient for me.
If your going to be using masquarading, and run ICQ on a windows box behind
the firewall, then you need to make use of port forwarding so things like
incoming chat requests work (ie, incoming request to port 3000 on firewall
gets sent on to ICQ on the win box that is listening for requests on 3000).
Some people argue its good to block ICMP...I disagree.../some/ ICMP stuff
maybe (eg, echo-request) but it depends on your paranoia. I'd rather have all
ICMP control packets come through to my box personally. I think networking
folk are split down the middle on this one.
> Finally, I have been messing with gfcc, a Gnome/GTK+ firewall config
> program which has several templates and can output shell scripts in an
> instant. It makes the whole process much more pleasant.
>
I've got a script that processes a rules file...I got fedup trying to
remember the ipchains and ipmasqadm command lines, so wrote an rc script to
read a config file with all the rules in. Works quite nicely for me :)
Chris...
--
@}-,'-------------------------------------------------- Chris Johnson --'-{ [at]
/ "If not for me then, do it for yourself. / sixie [at] nccnet.co.uk \
/ If not for me, then do it for the world" / www.nccnet.co.uk/~sixie \
/ -- Stevie Nicks / \
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.