..
..
nfs was not enabled. Stopped nfslock (which stopped rpc.statd). And
stopped rpcbind. Disabled them and saved.
I don't know if they are related, but rpcgssd is enabled and running, as
well as rpcidmapd.
I guess those are all related (because of the rpc prefix), and all
unnecessary in your setup.
rpcgssd failed to stop, but didn't claim to be running. It was
checkmarked for loading tho.
rpcidmapd shut down successfully.
Both said something about NFSv4, which I don't think I'm using. I have
disabled them from starting up again (in runlevel 5 anyway).
No other computers on your network .. no reason to run NFS (Network File
Sharing) service, no NFSv? (anything) .. No steenkin' NFS! :-)
unless you want to, of course ;-)
..
So what should I do about port 631?
Google-poking shows some clue that it has to do with making (and/or
seeing?) announcements of printer availability on your local network.
Also that it seems to be controlled by
/etc/cups/cupsd
at the lines near
# Show shared printers on the local network.
You might experiment with these, because it seems you have no need for a
udp port being open on 631
I don't know if this helps:
# ll /etc/cups/cupsd.conf*
-rw-r----- 1 root lp 2474 2008-07-01 04:46 /etc/cups/cupsd.conf
-rw-r----- 1 root lp 2474 2008-07-01 04:46 /etc/cups/cupsd.conf.default
# diff /etc/cups/cupsd.conf /etc/cups/cupsd.conf.default
Apparently, I have the default settings (Fedora 8). Being 2474 bytes,
I'm hesitant to include the contents.
What I meant was to try playing with cupsd.conf -- and see if that had
any impact on the open ports, and if so, whether that interferred with
printing.
For example,I changed
Browsing On
to
Browsing Off
and then restarted cupsd with
service cupsd reload
I did notice that the open udp port that was on 0.0.0.0 (any interface)
went away. This was the open port of (possible) concern.
I do have some network printing operations, so I'm going to turn mine
back on. And besides I'm behind a firewall, so I'm not worried about the
internet talking to my cupsd.
..
Mine is 68.183.yyy.zzz which doesn't resemble yours. My hostname
currently is netblock-68-183-yyy-zzz, kinda like what Cox does IIRC.
Oh, that is not a private IP address, it is a public one (accessible
from the internet), so you are right to avoid plastering it all around.
It is visible in your email headers -- but there's not anything you can
do about that, I believe.
So your DSL modem is not doing any NAT.
Which is port forwarding?
==> Somebody else will have to explain what is going on. I'd like to
know more about it myself. Maybe that implies there is no
... implies there is no ???
Oops, I meant to append "firewall". Meaning maybe your modem doesn't
have firewall capabilities, or that it is somehow disabled? The model
you originally posted (dlink DSL-2320B) is supposed to have a stateful
firewall within, according to
http://www.dlink.com/products/resource.asp?pid=554&rid=2122&sec=0
The manual from
ftp://ftp.dlink.com/Broadband/dsl2320B/Manual/dsl2320B_Manual_12.zip
is what I looked at before. Hmmm, I'll have another look at it.
The DSL management interface may or may not be accessible, though.
Here's what I would try:
# ifconfig eth0:1 192.168.1.99
# ping 192.168.1.1
if ping works, point your browser at http://192.168.1.1, and poke around.
What the above is, is an ethernet "alias" which behaves like another
interface working through the same hardware and ethernet wiring.
Yep, that did the trick. I'm in. Now I need to regress in this thread
since what you suggested has either been snipped or I'm just not seeing it.
If I found it, you suggested looking for unexpected port forwarding. I
don't know where to look for that. There seems to be a _lot_ in there.
But I did find a list of services:
☐ FTP
☑ HTTP
☑ ICMP
☑ SNMP
☑ TELNET
☑ TFTP
I am confused about your DSL modem and its configuration. The specs page
claims a "stateful packet inspection" firewall (a good thing) -- but
doesn't have configuration capabilities that I am familiar with. I would
have expected something about serving dhcp on the LAN side, as well as
some details about port forwarding in excess of what you show above. I
take it this is like page 39 of the manual, titled "Access
Control—Services". It could be the manual has that stuff, but I missed
it? My guess it that it's an earlier times model, with lots of technical
bits about the DSL configuration, but not much sophistication in the
LAN configuration. Just guessing, but you may be running in "bridging
mode", which is how your computer would get your public IP assigned
inside your LAN. I would certainly be reluctant to change anything -- I
expect it was all configured by an ISP technician?
The only other DSL modems I have familiarity with have multiple
LAN connections (a built-in switch), and even a wireless access
point as well. Those modems had to run dhcp to provide the LAN
computers with different IPs.
Unless someone else has experience with this modem, you may be stuck
with _my_ diagnosis: I think your DSL modem may be somewhat limited in
firewall capabilities (compared to what I would expect). It does look
like the checkboxes you show are allowing external access via HTTP,
SNMP, TELNET, and TFTP protocols to your LAN (yikes on TELNET and TFTP).
==> I would recommend immediately turning all of them off (except the
icmp, which you indicated cannot be changed, anyway).
Now, there was probably never any risk since (presuming) you never
ran any of those services on your computer anyway, so the
big-bad-internet might have tried accessing you via HTTP or TELNET,
but got no answer. Still, it is best to turn them off at the point
of ingress.
If this were my system, I would want to be able to connect more than one
computer to the LAN, and so I would go buy a residential gateway box and
plug it into the DSL modem. Then my internal computer(s) would plug into
the gateway. The Gateway would then have the IP address on its external
interface, and run a private address network on the internal interface.
==> I do not think it necessary, but you could consider doing that, even
though you only connect one computer -- it might give you more
confidence in the firewall function and/or allow more experimenting in
case that appealed to you.
==> Perhaps others will add remarks here?
The check mark in ICMP is grayed out, suggesting that I can NOT change it.
If there *is* anything anywhere in there about port forwarding, it
eluded me.
I was using the term port-forwarding in my (incorrect) view of the
network context. I guess it is more proper to say the firewall is doing
filtering, and those checkboxes are what it gives you control over. I
presume everything is not allowed through, but that _is_ an assumption.
If I understand corectly, port forwarding would be the more appropriate
term when you have different networks on the two sides of a
router/firewall/gateway.
It will go away on next boot, or if desired you can get rid of it by
# ifconfig eth0:1 0.0.0.0
I see no harm in leaving it. In fact, how can I make it survive a reboot?
I'm a bit rusty on this, but you might try creating a file
/etc/sysconfig/network-scripts/ifcfg-eth0:1
containing
DEVICE=eth0:1
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.234
which would be the minimum content, I think. You may replace '234' with
anything other than 0, 1 or 255.
BTW, one complication of adding another internal gateway box is that you
should configure it to use a different network, say 192.168.0.x or
192.168.222.x (just not 192.168.1.x), otherwise it is difficult to
connect to the management interface of the DSL modem.
..
Regards,
..jim
