Ralph Shumaker wrote: > James G. Sack (jim) wrote: >> Ralph Shumaker wrote: >>> James G. Sack (jim) wrote: .. >>> .. >>> nfs was not enabled. Stopped nfslock (which stopped rpc.statd). And >>> stopped rpcbind. Disabled them and saved. >>> >>> I don't know if they are related, but rpcgssd is enabled and running, as >>> well as rpcidmapd. >>> >> >> I guess those are all related (because of the rpc prefix), and all >> unnecessary in your setup. >> > > rpcgssd failed to stop, but didn't claim to be running. It was > checkmarked for loading tho. > > rpcidmapd shut down successfully. > > Both said something about NFSv4, which I don't think I'm using. I have > disabled them from starting up again (in runlevel 5 anyway).
No other computers on your network .. no reason to run NFS (Network File Sharing) service, no NFSv? (anything) .. No steenkin' NFS! :-) unless you want to, of course ;-) .. >>> So what should I do about port 631? >>> >> >> Google-poking shows some clue that it has to do with making (and/or >> seeing?) announcements of printer availability on your local network. >> Also that it seems to be controlled by >> /etc/cups/cupsd >> at the lines near >> # Show shared printers on the local network. >> You might experiment with these, because it seems you have no need for a >> udp port being open on 631 >> > > I don't know if this helps: > # ll /etc/cups/cupsd.conf* > -rw-r----- 1 root lp 2474 2008-07-01 04:46 /etc/cups/cupsd.conf > -rw-r----- 1 root lp 2474 2008-07-01 04:46 /etc/cups/cupsd.conf.default > > # diff /etc/cups/cupsd.conf /etc/cups/cupsd.conf.default > > Apparently, I have the default settings (Fedora 8). Being 2474 bytes, > I'm hesitant to include the contents. What I meant was to try playing with cupsd.conf -- and see if that had any impact on the open ports, and if so, whether that interferred with printing. For example,I changed Browsing On to Browsing Off and then restarted cupsd with service cupsd reload I did notice that the open udp port that was on 0.0.0.0 (any interface) went away. This was the open port of (possible) concern. I do have some network printing operations, so I'm going to turn mine back on. And besides I'm behind a firewall, so I'm not worried about the internet talking to my cupsd. .. >>> Mine is 68.183.yyy.zzz which doesn't resemble yours. My hostname >>> currently is netblock-68-183-yyy-zzz, kinda like what Cox does IIRC. >>> >> >> Oh, that is not a private IP address, it is a public one (accessible >> from the internet), so you are right to avoid plastering it all around. >> It is visible in your email headers -- but there's not anything you can >> do about that, I believe. >> >> So your DSL modem is not doing any NAT. >> > > Which is port forwarding? > >> ==> Somebody else will have to explain what is going on. I'd like to >> know more about it myself. Maybe that implies there is no >> > > ... implies there is no ??? Oops, I meant to append "firewall". Meaning maybe your modem doesn't have firewall capabilities, or that it is somehow disabled? The model you originally posted (dlink DSL-2320B) is supposed to have a stateful firewall within, according to http://www.dlink.com/products/resource.asp?pid=554&rid=2122&sec=0 The manual from ftp://ftp.dlink.com/Broadband/dsl2320B/Manual/dsl2320B_Manual_12.zip is what I looked at before. Hmmm, I'll have another look at it. > >> >> The DSL management interface may or may not be accessible, though. >> Here's what I would try: >> >> # ifconfig eth0:1 192.168.1.99 >> # ping 192.168.1.1 >> if ping works, point your browser at http://192.168.1.1, and poke around. >> >> What the above is, is an ethernet "alias" which behaves like another >> interface working through the same hardware and ethernet wiring. >> > > Yep, that did the trick. I'm in. Now I need to regress in this thread > since what you suggested has either been snipped or I'm just not seeing it. > > If I found it, you suggested looking for unexpected port forwarding. I > don't know where to look for that. There seems to be a _lot_ in there. > But I did find a list of services: > ☐ FTP > ☑ HTTP > ☑ ICMP > ☑ SNMP > ☑ TELNET > ☑ TFTP I am confused about your DSL modem and its configuration. The specs page claims a "stateful packet inspection" firewall (a good thing) -- but doesn't have configuration capabilities that I am familiar with. I would have expected something about serving dhcp on the LAN side, as well as some details about port forwarding in excess of what you show above. I take it this is like page 39 of the manual, titled "Access Control—Services". It could be the manual has that stuff, but I missed it? My guess it that it's an earlier times model, with lots of technical bits about the DSL configuration, but not much sophistication in the LAN configuration. Just guessing, but you may be running in "bridging mode", which is how your computer would get your public IP assigned inside your LAN. I would certainly be reluctant to change anything -- I expect it was all configured by an ISP technician? The only other DSL modems I have familiarity with have multiple LAN connections (a built-in switch), and even a wireless access point as well. Those modems had to run dhcp to provide the LAN computers with different IPs. Unless someone else has experience with this modem, you may be stuck with _my_ diagnosis: I think your DSL modem may be somewhat limited in firewall capabilities (compared to what I would expect). It does look like the checkboxes you show are allowing external access via HTTP, SNMP, TELNET, and TFTP protocols to your LAN (yikes on TELNET and TFTP). ==> I would recommend immediately turning all of them off (except the icmp, which you indicated cannot be changed, anyway). Now, there was probably never any risk since (presuming) you never ran any of those services on your computer anyway, so the big-bad-internet might have tried accessing you via HTTP or TELNET, but got no answer. Still, it is best to turn them off at the point of ingress. If this were my system, I would want to be able to connect more than one computer to the LAN, and so I would go buy a residential gateway box and plug it into the DSL modem. Then my internal computer(s) would plug into the gateway. The Gateway would then have the IP address on its external interface, and run a private address network on the internal interface. ==> I do not think it necessary, but you could consider doing that, even though you only connect one computer -- it might give you more confidence in the firewall function and/or allow more experimenting in case that appealed to you. ==> Perhaps others will add remarks here? > > The check mark in ICMP is grayed out, suggesting that I can NOT change it. > > If there *is* anything anywhere in there about port forwarding, it > eluded me. I was using the term port-forwarding in my (incorrect) view of the network context. I guess it is more proper to say the firewall is doing filtering, and those checkboxes are what it gives you control over. I presume everything is not allowed through, but that _is_ an assumption. If I understand corectly, port forwarding would be the more appropriate term when you have different networks on the two sides of a router/firewall/gateway. > >> It will go away on next boot, or if desired you can get rid of it by >> # ifconfig eth0:1 0.0.0.0 >> > > I see no harm in leaving it. In fact, how can I make it survive a reboot? I'm a bit rusty on this, but you might try creating a file /etc/sysconfig/network-scripts/ifcfg-eth0:1 containing DEVICE=eth0:1 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.1.234 which would be the minimum content, I think. You may replace '234' with anything other than 0, 1 or 255. BTW, one complication of adding another internal gateway box is that you should configure it to use a different network, say 192.168.0.x or 192.168.222.x (just not 192.168.1.x), otherwise it is difficult to connect to the management interface of the DSL modem. .. Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
