James G. Sack (jim) wrote:
At the risk of pushing the cycleRalph Shumaker wrote:
Interesting.
James G. Sack (jim) wrote:
http://www.mozy.com/Ralph Shumaker wrote:
Still leaking???
..
..
If the only way that I am vulnerable is open ports with running
services, then reducing those to the essential few should be sufficient,
right?
The only super-paranoid solution is not to put your computer on any
network, and build a faraday cage around your house, and ... <heh>.
But, most of us compromise and accept some risk, eh? I think you have a
basic understanding of services and how to check, and with that said, I
would confirm your statement above.
Yes, but my statement was not to focus so much on reducing the number of
services running (altho it is to be included) so much as reducing the
number of ports that answer back, namely, make it such that the only
ports that answer back are the ones in use by a running service.
..
Admittedly, I know little on the subject, but since only a few services
are running (like ntp), wouldn't it be better to DROP everything and
then just ACCEPT the few that are welcome?
That's what the firewall in the DSL modem _should_ allow you to do --
taking care not to disable a couple of ICMP protocol messages (details
of which I can't remember) that are inadvisable to ignore.
..
# service iptables status
[ugly-formatted info snipped]
# service iptables status (with proposed changes[1])
(changes proposed from my own ideas -- *please* advise)
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
#1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 drop
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
#10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
10 DROP all -- 0.0.0.0/0 0.0.0.0/0 drop
[1] treating this as a file with lines commented out with "#"
==> We (you) need advice here from a bonafide firewall guru.
It looks to me like the default policy is ACCEPT just so a last-resort
policy of REJECT with a (reject with imp-host-prohibited) message cvan
be emitted. This may be good strategy for pcs on a (relatively) trusted
LAN, but it seems to me that it might not be the best setup for your
bridged connection to the I'net and with your DSL modem allowing some
unwanted packets entry -- ports 1026,1027,1028, [something else(MSoft)].
Thanks for all your help jim. I think maybe I ought to start a new
thread for iptables help.
--
The four greatest threats to Americans today:
1) Executive orders giving President carte blanche dictatorial power
2) Our current foreign policy (foreign occupation by our military)
3) The federal income tax and all other unconstitutional taxes
4) Unconstitutional spending by congress, exceeding revenues, year after
year, after year, after year, after year, leading ultimately to our
utter enslavement by the owners of the world bank
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
