On Tue, 21 Mar 2000, Rich Payne <[EMAIL PROTECTED]> wrote:
> Yes, Paul raises a good point here that I should have touched upon. Do not
> run anything on that system that it doesn't need, this includes:
>
> Any of the r programs (rsh, rexec, etc....) (edit your /etc/ietd.conf)
> Anything to do with NFS, NIS
> Telnet, use ssh instead
> Don't run anon-ftp unless you really need it
> X
> imap,pop, even sendmail if you don't need it
> DHCP/BOOTP
> SWAT (Samba config), LinuxConf
> talk etc.....
Yes, it is good to not run this type of stuff on the firewall.
Another way to approach thinking about this (perhaps more relavent to a
simple home LAN we're are talking about than for a company) is to set
up the firewall block any access to these sorts of services so that there
would not be a problem even if they were *accidentally* running.
By this a mean, start from a very tight ship:
- Block *ALL* UDP traffic to/from the internet, except for DNS to a small
number of known servers (e.g. your ISP and/or what is in
/etc/resolv.conf) If your firewall box gets its IP address from your ISP
(e.g. mediaone), you'd also need to let in UDP traffic for
DHCP/BOOTP exchanges with your ISP.
- Block *ALL* incoming TCP connections from the internet, except for
the services you want to provide. This might be, e.g. 1) nothing,
2) incoming ssh only, 3) sendmail/webserver...
- There are probably a just a few ICMP's you'd want to accept (can't remember
just now which ones are OK)
I'm not advocating being lazy about what one runs on the firewall box,
but the above provides a great first defense. And for a Home system one
can get away with a tight setup since the users tend to be more
reasonable than at work ;-)
Karl Runge
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
