--- John Summerfield <[EMAIL PROTECTED]> wrote: > Hosts on the internet can only connect to other > hosts that they can see. > In you case, they can see your gateway, but not the > rest of the LAN. > > Mostly, hosts on the internet can only connect to > ports that are open. > > I say "mostly," because there have been bugs in > various IP stacks that > allowed other hosts to do evil things without > finding an open port. > Probably the most famous was Teardrop that > affected, amongst other > things, Windows 95, Windows 98 (well after the fix > for Windows 95 was > released!) and Linux. Famously, the Linux fix was > available in less than > 24 hours. > > Mostlly, though, attacks succeed through open ports > such as 25 (incoming > mail) 80 (web servers) and such. Actually, a > firewall isn't going to do > a lot to help you there _unless_ you have one that > detects bad traffic > (such as connects to ports nobody has any business > connecting to on > _your_ system) and then denies access to from the > bad side to all your > network. > > ISPs could do a lot of good here by detecting code > red (it's still > around) and other nasties and > a) Shutting down sources in their own networks > b) shutting out sources from outside their networks. > > You can use firewall software on your gateway to > block and log all > traffic you don't want. You will see lots of traffic > from people > hammering on your door. This can also help to block > connexions to > misconfigured daemons on your gateway: if you happen > to be running > postgresl there, you could have it listening to all > IP addresses, but > connexion from external hosts can't reach it because > your firewall rules > block them. > > Better, of course, to configure postgresql properly, > but that can be > tricky. > > Writing firewall rules using iptables is not a task > for a beginner, and > there are several higher-level packages available to > help with the task. > I use shorewall, but there are others. > > Now, despite your firewall, there's traffic that > comes right through it > _at your invitation,_ no less! Consider www requests > such as that 26 > Mbyte SP2 for XP. Email. > > Those can do bad things too, and that's where > content filters such as > spamassassin (email), MimeDefang (email), > Squidguard, DansGuardian and > your AV software come in.
Thanks for taking the time to put together such a comprehensive answer. > Fifty bucks please:-) Yes, well... check's in the post (!) ;) -- Matt ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]