Re: Save ports
Hi, On Tue, 06.03.2007 at 12:40:07 +0100, Almir Karic [EMAIL PROTECTED] wrote: On 3/5/07, Toni Mueller [EMAIL PROTECTED] wrote: it depends. My current impression is that if you can get away with having the TCP stack reject packets w/o spending the effort of running it through pf, than that's a performance benefit. But I'm not sure that the person asking will be in such a situation. if someone sent you a packet they already wasted your bandwidth, so the only thing you gain is minor performance benefit as the services in question aren't wasting your RAM. I only intended to make a statement about the load on the gateway. Sure, they wasted my bandwidth, but not my gateway's horsepower yet. Best, --Toni++
Re: Save ports
On 3/5/07, Toni Mueller [EMAIL PROTECTED] wrote: Hi, On Thu, 22.02.2007 at 22:36:21 +0100, Joachim Schipper [EMAIL PROTECTED] wrote: Just filtering aggressively using pf works as well, of course. it depends. My current impression is that if you can get away with having the TCP stack reject packets w/o spending the effort of running it through pf, than that's a performance benefit. But I'm not sure that the person asking will be in such a situation. if someone sent you a packet they already wasted your bandwidth, so the only thing you gain is minor performance benefit as the services in question aren't wasting your RAM. -- almir
Re: Save ports
Hi, On Thu, 22.02.2007 at 22:36:21 +0100, Joachim Schipper [EMAIL PROTECTED] wrote: Just filtering aggressively using pf works as well, of course. it depends. My current impression is that if you can get away with having the TCP stack reject packets w/o spending the effort of running it through pf, than that's a performance benefit. But I'm not sure that the person asking will be in such a situation. Best, --Toni++
Re: Save ports
On Tue, Feb 20, 2007 at 06:47:41PM -0800, Bray Mailloux wrote: I ran an nmap -sS localhost which output port state service 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 113/tcpopen auth 587/tcpopen submission This BSD box will be serving solely as a router so few of the above services are needed (submission, auth, domain, smtp). How do I begin closing down these services? You do need smtp and submission unless you are very aware of why I say that and are confident you do not (hint: local mail delivery is triggered by lots of stuff). daytime doesn't hurt, but can be turned off by stopping inetd or editing /etc/inetd.conf; time is basically the same. Both may be useful for testing. auth can be turned off in the same way if you don't plan on sending any outgoing mail. I must admit to not being aware of what would be running on 53/tcp. netstat is your friend (for that matter, why use nmap instead?). Just filtering aggressively using pf works as well, of course. Joachim
Re: Save ports
On 2007/02/22 22:36, Joachim Schipper wrote: I must admit to not being aware of what would be running on 53/tcp. netstat is your friend $ fstat | grep tcp.*:53
Re: Save ports
On Tue, Feb 20, 2007 at 08:01:19PM -0700, Open Phugu wrote: On 2/20/07, Bray Mailloux [EMAIL PROTECTED] wrote: I ran an nmap -sS localhost which output port state service 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 113/tcpopen auth 587/tcpopen submission This BSD box will be serving solely as a router so few of the above services are needed (submission, auth, domain, smtp). How do I begin closing down these services? Turn off inetd to close 13,37,133. Configure sendmail not to listen on ports 25 and 587, Bray did the scan on localhost. In the default configuration sendmail only listens to ports 25 and 587 on loopback, not the normal network device. There may be some programs running which need a local sendmail. It's usually better to do such scans from another host and/or use netstat to see to which local addresses services are bound. That leaves 22(ssh) and 53(domain). Regards, Markus
Save ports
I ran an nmap -sS localhost which output port state service 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 113/tcpopen auth 587/tcpopen submission This BSD box will be serving solely as a router so few of the above services are needed (submission, auth, domain, smtp). How do I begin closing down these services?
Re: Save ports
Bray Mailloux wrote: I ran an nmap -sS localhost which output port state service 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 113/tcpopen auth 587/tcpopen submission This BSD box will be serving solely as a router so few of the above services are needed (submission, auth, domain, smtp). How do I begin closing down these services? If you gotta ask, don't. If the thing is serving as a router, you are probably running PF, so just filter the services from the outside that you don't want the outside world to get to (probably, all of them). Don't break your box on some very misguided attempt to do stupid things in the name of security. Nick.
Re: Save ports
Turn off inetd to close 13,37,133. Configure sendmail not to listen on ports 25 and 587, That leaves 22(ssh) and 53(domain). On 2/20/07, Bray Mailloux [EMAIL PROTECTED] wrote: I ran an nmap -sS localhost which output port state service 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 113/tcpopen auth 587/tcpopen submission This BSD box will be serving solely as a router so few of the above services are needed (submission, auth, domain, smtp). How do I begin closing down these services? -- ID: AF133028 fp:9D6B DC0F CCDA 53FA 3F04 A551 BC23 374D AF13 3028