Hmmm... DNS, depending on how you have it setup. You may need to leave
incoming port 53 accessable. Other than that, I don't imagine there
being a problem with this. You may also want to look into ports
6000:6010 if you leave X running.
-Steve
On Tue, Jan 18, 2000 at 04:07:16PM -0800, Manuel A. McLure wrote:
> OK, got that. With that configuration I'd have to figure out what ports are
> being used by servers and block those specifically, right? My question is,
> will doing something like
>
> ipchains -I input -p tcp --destination-port 0:1023 -i eth1 -j REJECT -l
> ipchains -I input -p udp --destination-port 0:1023 -i eth1 -j REJECT -l
>
> hurt anything?
>
> --
> Manuel A. McLure - Unify Corp. Technical Support <[EMAIL PROTECTED]>
> Vah! Denuone Latine loquebar? Me ineptum. Interdum modo elabitur.
>
>
> -----Original Message-----
> From: Steve Shah [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 18, 2000 3:46 PM
> To: Manuel A. McLure
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: Securing IPMASQ gateway
>
>
> Not quite -- I'll take my config as an example: my firewall also
> does some internal serving which leaves a few ports open. For
> arguments sake, lets assume these ports are 110/tcp (POP), 25/tcp
> (SMTP), 23/tcp (telnet), and 22/tcp (ssh). All three are configured to
> accept connections from any interface. I can see this with
> netstat -an. My internet connection comes from eth1. Because I want to
> remain flexible with what I allow, I block those ports which I'm
> listening to.
>
> #!/bin/sh
> #
> # sample firewall setup
> #
> ipchains -I input -p tcp --destination-port 23 -i eth1 -j REJECT -l
> ipchains -I input -p tcp --destination-port 25 -i eth1 -j REJECT -l
> ipchains -I input -p tcp --destination-port 110 -i eth1 -j REJECT -l
>
>
>
>
>
>
>
> On Tue, Jan 18, 2000 at 01:28:55PM -0800, Manuel A. McLure wrote:
> > So I have to deny each port specifically? If I'm using IPMASQ, can I
> simply
> > DENY all ports 0-1023 coming in from the external interface (since IPMASQ
> > will use ports above 1023) and have that work?
> >
> > --
> > Manuel A. McLure - Unify Corp. Technical Support <[EMAIL PROTECTED]>
> > Vah! Denuone Latine loquebar? Me ineptum. Interdum modo elabitur.
> >
> >
> > -----Original Message-----
> > From: Steve Shah [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, January 18, 2000 12:14 PM
> > To: Manuel A. McLure
> > Cc: '[EMAIL PROTECTED]'
> > Subject: Re: Securing IPMASQ gateway
> >
> >
> > Deny ports based on which device the packet comes from.
> >
> > On Tue, Jan 18, 2000 at 09:13:02AM -0800, Manuel A. McLure wrote:
> > > I am looking for a way to secure my IPMASQ gateway machine. My situation
> > is
> > > the following: I have a network of three machines - two workstations
> > running
> > > Linux and Windows 95/98, and a gateway running Linux (all Linuxes are
> Red
> > > Hat 6.1). The gateway has an ethernet card connected to the internal
> > network
> > > and a second ethernet that will be connected to a cable modem. It is set
> > up
> > > for IPMASQ already - my internal addresses are 10.1.1.X.
>
> --
> ____________________________________________________________________________
> __
> Steve Shah ([EMAIL PROTECTED]) | Alteon Web Systems Inc. (Developer/Sysadmin)
> http://www.alteon.com | Voice: 408.360.5500 Fax: 408.360.5500
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~
> Beating code into submission, one OS at a time...
--
______________________________________________________________________________
Steve Shah ([EMAIL PROTECTED]) | Alteon Web Systems Inc. (Developer/Sysadmin)
http://www.alteon.com | Voice: 408.360.5500 Fax: 408.360.5500
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Beating code into submission, one OS at a time...
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
