On Wed Jun 21 2000 at 21:19, Dale Alspach wrote:
> I have just gotten a DSL connection for home and I bought a Linksys
> router/firewall to put between the DSL modem and my machines. The box
> allows selective port forwarding. What ports should I allow? I don't
Reject tcp SYN packets (ie, packets that are attempting to establish
tcp connections) to any ports that you don't want.
If you don't want anyone to be able to connect to anything from
outside, then block them all. Or at the very least, block all the
privileged ports (1-1023).
Bit trickier with udp... ports like netbios (137:139) should be
blocked.
Check the CERN sites and some of the (unix/networking) HOWTOs and
FAQs for other ports that are highly recommended for blocking. (eg,
all the r-tools [rsh rexec etc], lpd and so on).
> really need services for machines outside my little network to use very
> often since usually I can use the services at the other end. Once in a
> while I might want telnet or ftp. My kids use AOL instant messenger/gaim
For TCP connections, you can differentiate between established
connections and new connections (SYN)... use this to your advantage.
This isn't possible for UDP and ICMP - you'll need to be much more
specific about this (which can be tricky if you don't want to
accidently break anything).
> and sometimes play games on the internet. When there is trouble I might
> need to use traceroute or some other tool. I looked through /etc/services
All these use (mostly) UDP ports above 1023, don't block these.
traceroute is hopeless for testing firewalls apart from confirming
where packets may or may not be possibly blocked or masqueraded.
netcat (nc) is a FAR better tool (in fact, netcat is jus brilliant
for all sorts of uses, not just port-scanning).
> but not being a network guru I am having hard time deciding which ones
> I need. 20 and 21 for ftp? 22 for ssh? 23 for telnet? Is there any need
> for tftp? 161 snmp? 513? Behind the Linksys box the machines either
Yep, you're on the right track. Block incoming SYN, but allow those
ports out if the connection has been established from your end.
You'll need to read a lot about firewalls, ipchains and so on.
> boot linux or windows 95. The win 95 machines don't run many services,
> do they? What does AOL IM use? 194? What do these games use? Linksys
Yep - netbios if they have networking enabled. And gohd knows what
other ports are being listened to.
> mentions using their DMZ for the machine playing the game but if I
> understand correctly that means that the machine is outside the firewall
> effectively.
No, there are masquerading modules for doing this stuff. Hmm,
perhaps you didn't
> I have my hosts.deny and hosts.allow set to allow only certain domains
> or static addresses so I think I am not too badly exposed when the ports
> are visible and linux is up.
No, tcp_wrappers only offers LOCAL security for SOME network
services. Not all.
It is not a replacement for network firewall security.
> TIA for any suggestions or pointers to documentation.
There is lots and lots and LOTS of excellent information on all
this - and not just in the linux HOWTO documentation. I've
mentioned CERT (AusCERT here), check their web pages. Also check
the newgroup FAQ archives for things like comp.unix.security at
ftp://rtfm.mit.edu
Network / firewall security is a learning curve when it first hits
you in the face, but once you get the hang of how it all works
you'll have the power to really protect yourself (and others) once
it all falls into place.
Good luck.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
