At the risk of pushing the cycleRalph Shumaker wrote: > James G. Sack (jim) wrote: >> http://www.mozy.com/Ralph Shumaker wrote: ..
>>>... still cannot access it since disabling those >>> services. I don't know why, unless those were services being supplied >>> by the DSL modem to *my* computer. Got any ideas how to get back in? >>> >> >> I thought you said it fixed itself? >> > > I don't recall saying that. But in any case, to be clear, I lost access > to the admin of the modem and never got it back. It did not affect my > ability to surf the web. But I cannot access the admin of the modem. > >> Starting from >> # ifconfig eth0:0 192.168.1.99 >> ifconfig -a >> (to verify the 192.168.1.99 alias) >> ping 192.168.1.1 >> > > All good. > >> if that works, browse to >> http://192.168.1.1/ >> > > instantly gives me the dialog that says: > The connection was reset > The connection to the server was reset while the page was loading. > # The site could be temporarily unavailable or too busy. Try again in a few > moments. > # If you are unable to load any pages, check your computer's network > connection. > # If your computer or network is protected by a firewall or proxy, > make sure > that Firefox is permitted to access the Web. > > [Try Again] > > > (Clicking on [Try Again] merely refreshes the dialog.) OK thanks for the recap, now I get the picture. .. > > If the only way that I am vulnerable is open ports with running > services, then reducing those to the essential few should be sufficient, > right? The only super-paranoid solution is not to put your computer on any network, and build a faraday cage around your house, and ... <heh>. But, most of us compromise and accept some risk, eh? I think you have a basic understanding of services and how to check, and with that said, I would confirm your statement above. .. >> What I meant is that you can't do much about probes arriving at your >> public IP. That your DSL modem doesn't allow you to filter out those >> things you don't want is a deficiency of the modem, IMO. >> >> I believe your computer may not actually be doing any (real) responding, >> it should be ignoring them. It would only respond by virtue of running a >> service whose job is to respond. >> > > I don't understand. Aren't these replies? > > # tcpdump -lr tcpdumped > reading from file tcpdumped, link-type EN10MB (Ethernet) > 11:09:03.700039 IP host86-168-240-81.range86-168.btcentralplus.com.54271 >> netblock-68-183-me-me.dslextreme.com.33925: UDP, length 35 > 11:09:03.700134 IP netblock-68-183-me-me.dslextreme.com > > host86-168-240-81.range86-168.btcentralplus.com: ICMP host > netblock-68-183-me-me.dslextreme.com unreachable - admin prohibited, > length 71 Yes, I was not speaking precisely enough. I tried awkwardly to amplify in my later remarks. The "unreachable" is a standard reply generated by the kernel. If an ip filtering mechanism (iptables) is running, you may modify the standard reaction to do-nothing. ==> If someone with more expertise has a better explanation, perhaps they will jump in. .. > > Admittedly, I know little on the subject, but since only a few services > are running (like ntp), wouldn't it be better to DROP everything and > then just ACCEPT the few that are welcome? That's what the firewall in the DSL modem _should_ allow you to do -- taking care not to disable a couple of ICMP protocol messages (details of which I can't remember) that are inadvisable to ignore. .. > # service iptables status > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination 1 > RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > Chain FORWARD (policy ACCEPT) > num target prot opt source destination 1 > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > Chain RH-Firewall-1-INPUT (1 references) > num target prot opt source destination 1 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 > 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 > ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 > ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 > 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp > dpt:631 > 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:631 > 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > NEW tcp dpt:22 > 10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 > reject-with icmp-host-prohibited > ==> We (you) need advice here from a bonafide firewall guru. It looks to me like the default policy is ACCEPT just so a last-resort policy of REJECT with a (reject with imp-host-prohibited) message cvan be emitted. This may be good strategy for pcs on a (relatively) trusted LAN, but it seems to me that it might not be the best setup for your bridged connection to the I'net and with your DSL modem allowing some unwanted packets entry -- ports 1026,1027,1028, [something else(MSoft)]. Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
