On Mon, 06 Nov 2000 00:32:29 +0000 (UTC), Pollywog said: > > On 06-Nov-2000 Christopher W. Aiken wrote: > > > Why cant I just set my "/etc/hosts.deny" > > file to "ALL: PARANOID", comment out the "telnet" "ftp" and > > "http" lines out of my "/etc/inetd.conf" file? Wouldn't > > that be enough protection for my system? > > > > It is not enough, because most services do not run from inetd and don't use > TCP Wrappers. You do need the firewall. I see all sorts of connection > attempts on my DSL. Many are probably innocent, but I would guess that some > of them are script kiddies.
After turning off services including inetd and making sure all other servers like X-server ,font server and sql server were running with '-nolisten tcp' i am able to run 'nmap' so all my 65535 ports are closed. Running an intrusion detection program 'firestarter' shows my cable box is getting all kinds of hits including Netbios from windows boxes . Now i do have ipchains also setup on my stand alone computer but i felt a firewall with NAT(ip masquerading) would isolate me from those cable hits which could be anything. I estimated an old 486 and some NIC's would cost about a $100. But since i didn't want another noisy big box around i got a Netgear gateway-router for only a few dollars more. This little gem has a 4-port 10/100 switch built in for your LAN, acts as DHCP client and server, does NAT and has programmable filters just like ipchains rules. I was able to just plug it in and use it with default filters, as it gets DHCP from the cable modem. Now when i run intrusion detection i have no hits on my internal single box LAN. You can see the review and user opinions at practicallynetworked.com. -- gEEk||dOOd^Deb+iaN&&XFce$aaZZ goes<Pronto>(-_-)