On Sun, Nov 13, 2005 at 11:44:31AM -0600, Harry Putnam wrote: > You have a fast smart mouth on you Mr. Wong. But thanks just the > same. I got in my head you both were talking about the scheduling > area. My mistake. I noticed it soon after posting and found the > place to make these settings shortly thereafter.
=) Willie is fine. "Mr. Wong" doesn't become me. > There is a problem with it I'll explain in a minute but first let me > ask if you are actually using your router to do something similar to > what I described? Yes and no.... I firewall off some access for wireless devices around home. Mostly so people who are "visiting" with their computers won't cause heavy disruption (by, for example, getting a spyware/spambot infected machine onto my network and pissing off my ISP). But I do not block off all services. > Reason I ask is here it appears it would be a very shaky way to go. > In the blocking area there is a list of 11 services to block. > Services can be added in a differernt area but even then one is just > guessing and hoping any attacker doesn't use a port for which > there is no service or one you forgot to add. True. That's one question I've been wondering. Since I do *not* actually have a FSV318 (like I said, I have a way lower end Netgear router), I was wondering about what I saw in the manual. The page I referred you to had a sample screen that says something akin to "Clicking here enables ALL services for ALL local LAN addresses". (I hope you know which screencap I am talking about.) So 1) Does such screen exist? 2) If it does, if you only enable OUTBOUND service for the two computers you want, does it do the job? The other consideration is that: so long as your computer has no way of initiating outbound HTTP/S, FTP, TELNET, SSH, etc. access (those in the list), I highly doubt there's a way for the computer to get _passively_ infected by malware. What I mean is that there are basically two ways for the attack to happen: 1) The attacker puts his stuff on the 'web and waits for people to click on it (software that bundles spyware, malformed webpages). 2) The attacker actively attacks you. For case 1), blocking outbound services on those 11 ports should be sufficient (especially if you administer your own small network and not let random strangers off the street play with your boxes). For case 2), that is what a firewall is for. Judging by your setup I am assuming you have NAT setup (of course, you could have 5 ips from the ISP, but in principle you won't need a router then...). In that case without explicitly forwarding ports or setting up a DMZ, there really isn't a way for the attacker to attack your computers without the router/firewall being seriously compromised. > just hoping you didn't overlook something. Again, no way to just say > `block all incoming/outgoing'. Again (sorry if I sound redundant), you only need to block all OUTGOING at the router level. incoming is blocked by assumption unless you setup port forwarding. That is what a firewall means afterall. > If you've been doing this overtime it would be encouraging to hear it > has worked with no problems sorry... no way to tell: different models of router, different level of security we are talking about here. I put my linux box on the DMZ and run iptables on it... I've seen scripted attacks hitting my DMZ box, but nothing has ever hit computers behind the router's firewall. So I guess I must be doing something right. =) > > Getting back to using the gentoo box for this: > > One poster mentioned, he thought it would require hard wiring the win > boxes to run thru the gentoo first. That's the only way to be safe. > I'm wondering if it would work to just set the gentoo box as gateway > for them even though they are coming in thru the router first. > Haven't tried any of that since I need an undisturrbed internet > connection for a while more yet. If the windows boxes are wired to the router, then it would be possible to change a setting in windows and make them use the router as the gateway. And if the router is not setup to block services, they would have direct access to the internet. If blocking (finite number of) services sound shaky to you, then I think only hard-wiring the boxes to pass through the gentoo box would be secure enough for you. If you have some budget: get a second NIC for your gentoo box, hook it directly up to the internet. Point the second NIC to your netgear router, and setup the router to function only as switch (no address translation, no dhcp, nothing). Follow the gentoo home networking guide http://www.gentoo.org/doc/en/home-router-howto.xml to setup your gentoo box as a router/firewall. And then you can explicitly block all outbound connections from the three machines in question. So.... / Windows 1 Internet ---- Gentoo box ---- Netgear Router - Windows 2 \ Windows 3 \Windows 4 W -- Why don't you just jack the hubble? ~Alex MacDonald Sortir en Pantoufles: up 1 day, 10:17 -- gentoo-user@gentoo.org mailing list
