On Sun, Nov 05, 2000 at 07:13:25PM -0500, Christopher W. Aiken wrote: > My "Mom & Pop" phone company had an insert in my latest phone bill > that indicated they would be providing DSL service in the very near > future. A friend of mine suggested that if I get the DSL service > that I should set up a firewall to protect myself.
You have a good friend! ;-) > He also suggested that I start with a page on the net (TrinityOS at > http://24.7.216.129:8192/) that has some basic ipchain > configurations. I don't understand any of this stuff, but the > TrinityOS pages had a 100 line rc.firewall script and a 1300 line > ipchains config file. Is all of this really necessary? Why cant I > just set my "/etc/hosts.deny" file to "ALL: PARANOID", comment out > the "telnet" "ftp" and "http" lines out of my "/etc/inetd.conf" > file? Wouldn't that be enough protection for my system? It does sound like a bit of overkill, doesn't it? Still, I wouldn't take the information at TrinityOS lightly. Rather, I would roll that information into my own bag of tricks (and will shortly... I forgot all about that site). At a bare minimum, if that's all you want, I would install the ipmasq package. Personally, I'm not fond of the package, but it will get you up and running in short order. I have a few tips for you that might help you in your quest for security. * Take heed to TrinityOS's suggestions.[1] * Check out LIDs (Linux Intrusion Detection System)[2] * Read the Linux Documentation Project's Security Guide[3] * Place this rule at the end of each chain while debugging: ipchains -A <chain> -j DENY -l (That means, DENY the packet and log it... tail -f /var/log/syslog) * Avoid inetd, but if you must, use xinetd. * Repeat this phrase: "A firewall is a firewall is a firewall." If at any time you catch yourself saying, "I could put <insert favorite service here> on the firewall." Slap yourself in the face and repeat the mantra again. Repeat until you get it right. If you do otherwise, just remember, "I warned you!" References ---------- [1] http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos [2] http://www.lids.org/ [3] 'apt-get install lasg' or http://www.linuxdoc.org/LDP/lasg/ -- Chad "^chewie, gunnarr" Walstrom <[EMAIL PROTECTED]> http://www.wookimus.net/
pgpx7C63zu2ag.pgp
Description: PGP signature