So, my first question...Is a Linksys Router doing 'firewall' duty and NAT easy to get past? If the answer is yes, then what should I do? Use a firewall-specific distro to convert my old P133MHz box into a Linux firewall? Maybe someone wants $100 to come over and show me how it's done? (location Newburyport, MA or E. Kingston, NH)
Until you start forwarding some ports for running servers, NAT is actually pretty hard to get around; it won't forward any incoming connections unless you tell it to. Make sure to set the Linksys box not to accept any management connections from the WAN port, or else somebody could try to attack it.
If you want to be even more secure, you can set your router to block all incoming packets to ports other than the specific services you want to be able to use. That would protect you against machines on the LAN trying to make connections to unknown services on the outside. This takes more work, though, if anybody on the LAN wants to do online gaming or the like, since that often requires the use of unusual (and sometimes undocumented) ports.
If you forwand any ports to an inside box, that box has to be properly secured, paying special attention to any ports that get forwarded to it. If you set up a machine to be a DMZ, as some NAT boxes allow (that is, a machine that receives ALL incoming ports from the outside world), that machine had better be running a really good firewall - it's even more sensitive than usual, because anyone who cracks it now has access to your LAN and the possibly unsecured machines on it.
If you have any Windows machines on the LAN, it's a good idea to block the ports that have been used by the popular Windows exploits: 135, 137-139, and 445. These should be blocked in both directions (incoming and outgoing); there are no commonly used services that use these ports that you would ever want to run over the Internet. With those filters in place, viruses like Blaster are fairly harmless (though they might generate some extra traffic on the LAN), even if machines on your LAN are infected.
None of this, of course, will protect against users downloading and installing Trojan horses or the like. You still have to watch out for those.
_______________________________________________
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
