/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Unless you explicitly deny telnet access to your firewall machine, anybody
could telnet to it. I believe that this can be accomplished like so:
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 23 -d
$IPADDR $UNPRIVPORTS -j REJECT
EXTERNAL_INTERFACE="whatever it turned out to be (eth0, eth1 or eth3...)
ANYWHERE="0.0.0.0/0"
IPADDR="IP Address of your external interface"
UNPRIVPORTS="1024:65535"
or you could and should use the /etc/hosts.deny and /etc/hosts.allow files
of the TCP_WRAPPER package for more security. Usually if you are looking to
connect to your Linux Firewall box from outside, SSH is a good shell to use
instead of TELNET and/or FTP. However, WU_FTPD from the University of
Washignton is known to be secure. Ask those SUN guys about it.
> -----Original Message-----
> From: Bruno Melloni [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, August 25, 1999 8:02 AM
> To: [EMAIL PROTECTED]
> Subject: [Masq] Protecting the firewall machine
>
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> */
>
>
> As an early setup I did the "no-brains" 2-line ipchains configuration
> setting a deny-all default policy and allow all outgoing for masqueraded
> forwarding.
>
> In my configuration the masquerading/firewalling is done on the same
> Linux server that handles all my internal functionality, as well as
> external DNS, http, ftp, etc. I expected that with the above policies
> all internet-originated traffic would be blocked, but found that I can
> still use telnet, DNS, etc from the internet.
>
> Is this an indication that the ipchains policies only apply to traffic
> between the inside and outside network and not to the firewall machine
> itself? Or is it just that I have to delve deep into all the ipchains
> options and put in better and more specific policies?
>
> If ipchains does not protect the firewall machine, can you recommend a
> way to accomplish that?
>
> Thanks,
>
> bruno
>
>
> [demime 0.91c removed an attachment of type text/x-vcard which had a name
> of bruno.vcf]
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
