On Mon, Dec 10, 2001 at 10:00:19AM +1000, mdevin wrote:
Here is what I did:
[snip clean solution :) ]
The only remaining question I have is: Is this the correct way to use
the - and + permission setting in /etc/security/access_conf ? 'Cause
what I have done here is to allow specific
On Mon, Dec 10, 2001 at 10:00:19AM +1000, mdevin wrote:
Here is what I did:
[snip clean solution :) ]
The only remaining question I have is: Is this the correct way to use
the - and + permission setting in /etc/security/access_conf ? 'Cause
what I have done here is to allow specific users
On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote:
At 09.12.2001, Tim Haynes wrote:
echo 1 /proc/sys/net/ipv4/conf/*/rp_filter
withecho 1 /proc/sys/net/ipv4/conf/*/log_martians
for logging/fun purposes.
rp_filter will not help with that.
I thought that
Plato [EMAIL PROTECTED] writes:
echo 1 /proc/sys/net/ipv4/conf/*/rp_filter
withecho 1 /proc/sys/net/ipv4/conf/*/log_martians
for logging/fun purposes.
rp_filter will not help with that.
I thought that rp_filter was for precisely this. Doesn't it stop packets
which
On Mon, Dec 10, 2001 at 09:31:09AM +0200, Berend De Schouwer wrote:
On Mon, 2001-12-10 at 08:19, mdevin wrote:
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
With ipchains you can make the following:
ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
What this
Guido Hennecke [EMAIL PROTECTED] writes:
Sorry, I was transposing my thoughts into ipchains rules. Actually my
firewall is iptables based. In iptables, packets that are being
masqueraded traverse only the FORWARD chain and not the INPUT or OUTPUT
chains. Thus if the rule was:
On Mon, Dec 10, 2001 at 12:54:31PM +, Tim Haynes wrote:
Guido Hennecke [EMAIL PROTECTED] writes:
Sorry, I was transposing my thoughts into ipchains rules. Actually my
firewall is iptables based. In iptables, packets that are being
masqueraded traverse only the FORWARD chain and
On Mon, Dec 10, 2001 at 10:55:07PM +1000, mdevin wrote:
On Mon, Dec 10, 2001 at 12:22:44PM +, Tim Haynes wrote:
Plato [EMAIL PROTECTED] writes:
echo 1 /proc/sys/net/ipv4/conf/*/rp_filter
withecho 1 /proc/sys/net/ipv4/conf/*/log_martians
for logging/fun
On Mon, Dec 10, 2001 at 01:21:15PM +, Tim Haynes wrote:
Ultimately, I want input forward to be drop-by-default. However, the
`block' chain is meant to be good for both input forward scenarios; it
has rules for stateful filtering and `open' things, then a drop log. If I
put in a rule
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message [EMAIL PROTECTED], Petro writes:
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote:
After reading a previous thread about stopping services from listening
on certains ports, I
Greetings!
At 09.12.2001, [EMAIL PROTECTED] wrote:
[...]
And thanks for all the replies. In fact I was most interested to hear
that you could not make daemons listen on only one interface but you
could make them bind to an IP address range. I guess that is what I
achieved in my
On Mon, Dec 10, 2001 at 09:39:02AM -0800, Ted Cabeen wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message [EMAIL PROTECTED], Petro writes:
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote:
After reading a previous
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
With ipchains you can make the following:
ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
What this says is: all packets with destination 192.168.0.1 must not
have come from eth1 or they will be denied.
Why do you choose to
On Mon, 2001-12-10 at 08:19, mdevin wrote:
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
With ipchains you can make the following:
ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
What this says is: all packets with destination 192.168.0.1 must not
have come from
On Sat, Dec 08, 2001 at 03:54:21PM -0800, Mark Lanett wrote:
Postfix is configurable as to which interfaces it listens to. So are samba,
courier-imap, apache. The only problem is that each one has its own
completely different kind of configuration file.
Some of them are documented at
On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote:
At 09.12.2001, Tim Haynes wrote:
echo 1 /proc/sys/net/ipv4/conf/*/rp_filter
withecho 1 /proc/sys/net/ipv4/conf/*/log_martians
for logging/fun purposes.
rp_filter will not help with that.
I thought that
Plato [EMAIL PROTECTED] writes:
echo 1 /proc/sys/net/ipv4/conf/*/rp_filter
withecho 1 /proc/sys/net/ipv4/conf/*/log_martians
for logging/fun purposes.
rp_filter will not help with that.
I thought that rp_filter was for precisely this. Doesn't it stop packets
which
On Mon, Dec 10, 2001 at 09:31:09AM +0200, Berend De Schouwer wrote:
On Mon, 2001-12-10 at 08:19, mdevin wrote:
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
With ipchains you can make the following:
ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
What this
Guido Hennecke [EMAIL PROTECTED] writes:
Sorry, I was transposing my thoughts into ipchains rules. Actually my
firewall is iptables based. In iptables, packets that are being
masqueraded traverse only the FORWARD chain and not the INPUT or OUTPUT
chains. Thus if the rule was:
On Mon, Dec 10, 2001 at 12:22:44PM +, Tim Haynes wrote:
Plato [EMAIL PROTECTED] writes:
echo 1 /proc/sys/net/ipv4/conf/*/rp_filter
withecho 1 /proc/sys/net/ipv4/conf/*/log_martians
for logging/fun purposes.
rp_filter will not help with that.
I thought
On Mon, Dec 10, 2001 at 12:54:31PM +, Tim Haynes wrote:
Guido Hennecke [EMAIL PROTECTED] writes:
Sorry, I was transposing my thoughts into ipchains rules. Actually my
firewall is iptables based. In iptables, packets that are being
masqueraded traverse only the FORWARD chain and
mdevin [EMAIL PROTECTED] writes:
[snip firewall overview]
how come packets still seem to get dropped when being forwarded between
interfaces?
I am not sure I have totall gotten what you are trying to do here. But,
the packets will be dropped instead of being forwarded between interfaces
On Mon, Dec 10, 2001 at 01:21:15PM +, Tim Haynes wrote:
Ultimately, I want input forward to be drop-by-default. However, the
`block' chain is meant to be good for both input forward scenarios; it
has rules for stateful filtering and `open' things, then a drop log. If I
put in a rule
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message [EMAIL PROTECTED], Henrique de Moraes Holschuh writ
es:
On Sun, 09 Dec 2001, Guido Hennecke wrote:
At 09.12.2001, Henrique de Moraes Holschuh wrote:
On Sun, 09 Dec 2001, Guido Hennecke wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message [EMAIL PROTECTED], Petro writes:
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote:
After reading a previous thread about stopping services from listening
on certains ports, I
Greetings!
At 09.12.2001, [EMAIL PROTECTED] wrote:
[...]
And thanks for all the replies. In fact I was most interested to hear
that you could not make daemons listen on only one interface but you
could make them bind to an IP address range. I guess that is what I
achieved in my
On Mon, Dec 10, 2001 at 09:39:02AM -0800, Ted Cabeen wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message [EMAIL PROTECTED], Petro writes:
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote:
After reading a previous
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message [EMAIL PROTECTED], mdevin writes:
Once thing to keep in mind when turning off services is to use update-rc.=
d=20
correctly. It's not a good idea to turn off services using=20
update-rc.d -f
On Sun, 09 Dec 2001, Guido Hennecke wrote:
127.0.0.1 Gateway your official ip address Interface his
externel interface
he can reach your service bound to 127.0.0.1. And this without
activating ip_forward on your computer!
Is this true even if the policy of the forward
- Original Message -
From: Guido Hennecke [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, December 09, 2001 8:14 AM
Subject: Re: Fw: Can a daemon listen only on some interfaces?
At 09.12.2001, [EMAIL PROTECTED] wrote:
[...]
And thanks for all the replies. In fact I was most
On Sun, Dec 09, 2001 at 04:30:35AM +0100, Guillem Jover wrote:
On Sun, Dec 09, 2001 at 12:06:26AM +1000, [EMAIL PROTECTED] wrote:
I do want sshd to listen on all (0.0.0.0) but I would like to find a way
to make it only accept connection attempts for a certain user from the
internet but
On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote:
Please dont answer to the list _and_ to me. Thank you.
At 09.12.2001, Tim Haynes wrote:
Phillip Hofmeister [EMAIL PROTECTED] writes:
[snip]
If an attacker in the same network sets a route like that:
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
I try to explain again:
You have a Linux box with eth0 and eth1. eth0 is the Internet
interface, eth1 is the interface to the LAN.
IP addresses: eth0 - 123.123.123.123
eth1 - 192.168.0.1
You want remote
On Mon, Dec 10, 2001 at 01:52:51PM +1000, mdevin wrote:
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
I try to explain again:
You have a Linux box with eth0 and eth1. eth0 is the Internet
interface, eth1 is the interface to the LAN.
IP addresses: eth0 -
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
With ipchains you can make the following:
ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
What this says is: all packets with destination 192.168.0.1 must not
have come from eth1 or they will be denied.
Why do you choose to
On Sun, 09 Dec 2001, Guido Hennecke wrote:
127.0.0.1 Gateway your official ip address Interface his
externel interface
he can reach your service bound to 127.0.0.1. And this without
activating ip_forward on your computer!
Is this true even if the policy of the forward
- Original Message -
From: Guido Hennecke [EMAIL PROTECTED]
To: debian-security@lists.debian.org
Sent: Sunday, December 09, 2001 8:14 AM
Subject: Re: Fw: Can a daemon listen only on some interfaces?
At 09.12.2001, [EMAIL PROTECTED] wrote:
[...]
And thanks for all the replies
Phillip Hofmeister [EMAIL PROTECTED] writes:
[snip]
If an attacker in the same network sets a route like that:
127.0.0.1 Gateway your official ip address Interface his
externel interface
Couldn't this be countered with:
ipchains -i !lo -d 127.0.0.1 -j DENY
?
On Sun, 09 Dec 2001, Guido Hennecke wrote:
At 09.12.2001, Henrique de Moraes Holschuh wrote:
On Sun, 09 Dec 2001, Guido Hennecke wrote:
127.0.0.1 Gateway your official ip address Interface his
externel interface
he can reach your service bound to 127.0.0.1. And
On Mon, 10 Dec 2001, Guido Hennecke wrote:
All packets come over the network an want to go to an ip address a local
interface is bound to, will not be routed to come to that interface.
Thats the problem.
Indeed.
Well, ipmasq needs an update to trash anything incoming and outgoing from
!lo
On Sun, Dec 09, 2001 at 04:30:35AM +0100, Guillem Jover wrote:
On Sun, Dec 09, 2001 at 12:06:26AM +1000, [EMAIL PROTECTED] wrote:
I do want sshd to listen on all (0.0.0.0) but I would like to find a way
to make it only accept connection attempts for a certain user from the
internet but
On Sun, Dec 09, 2001 at 07:45:52PM +0100, Guido Hennecke wrote:
Please dont answer to the list _and_ to me. Thank you.
At 09.12.2001, Tim Haynes wrote:
Phillip Hofmeister [EMAIL PROTECTED] writes:
[snip]
If an attacker in the same network sets a route like that:
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
I try to explain again:
You have a Linux box with eth0 and eth1. eth0 is the Internet
interface, eth1 is the interface to the LAN.
IP addresses: eth0 - 123.123.123.123
eth1 - 192.168.0.1
You want remote
On Mon, Dec 10, 2001 at 01:52:51PM +1000, mdevin wrote:
On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
I try to explain again:
You have a Linux box with eth0 and eth1. eth0 is the Internet
interface, eth1 is the interface to the LAN.
IP addresses: eth0 -
After reading a previous thread about stopping services from listening
on certains ports, I decided to investigate things a little further for
my system.
So, what I can figure out is that it seems that I have only the
following daemons listening: postfix, sshd, cupsd, XF86_SVGA, portmap.
I have
Hi
On Sat, Dec 08, 2001 at 07:40:06PM +1000, [EMAIL PROTECTED] wrote:
[snip]
So, what I can figure out is that it seems that I have only
the following daemons listening: postfix, sshd, cupsd,
XF86_SVGA, portmap.
I have only deliberately decided to run postfix, sshd and
cupsd. Everything
On Sat, Dec 08, 2001 at 01:25:16PM +0200, Michael Wood wrote:
Hi
On Sat, Dec 08, 2001 at 07:40:06PM +1000, [EMAIL PROTECTED] wrote:
[snip]
So, what I can figure out is that it seems that I have only
the following daemons listening: postfix, sshd, cupsd,
XF86_SVGA, portmap.
I have
On Sat, Dec 08, 2001 at 07:39:44PM +1000, [EMAIL PROTECTED] wrote:
The only ones I didn't know about in this list are portmap and
XF86_SVGA. Firstly, I can't seem to find the config file for X where
you set the --nolisten parameter
From man Xserver(1)
-nolisten trans-type
El dom, 09 de dic de 2001, a las 00:06 +1000,
mdevin decía que:
Make sure your /etc/X11/xinit/xserverrc contains something like
this:
#!/bin/sh
exec /usr/bin/X11/X -dpi 100 -nolisten tcp
Hmmm. This file did not exist on my computer. I don't know why. I
just assumed that it
use NIS or NFS just chown the file again to executable.
OPSS, i mean chmod not chown.
--
Alberto Cortés Martín | Ing. de Telecomunicaciones
email: [EMAIL PROTECTED] | Universidad Carlos III
tel: +34 91 450 09 85 | Madrid
mobile: 600 42 77 57 | Spain
url:
At 15:06 08.12.01, you wrote:
I do want sshd to listen on all (0.0.0.0) but I would like to find a way
to make it only accept connection attempts for a certain user from the
internet but still allow several other users to connect from the LAN. I
do know how to make it accept connections for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
mdevin == mdevin [EMAIL PROTECTED] writes:
[...]
mdevin The only ones I didn't know about in this list are portmap and
mdevin XF86_SVGA. Firstly, I can't seem to find the config file for X
mdevin where you set the --nolisten parameter - but I
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote:
After reading a previous thread about stopping services from listening
on certains ports, I decided to investigate things a little further for
my system.
So, what I can figure out is that it seems that I have only the
On Sat, Dec 08, 2001 at 08:09:50PM +0100, Guido Hennecke wrote:
At 08.12.2001, Michael Wood wrote:
On Sat, Dec 08, 2001 at 07:40:06PM +1000, [EMAIL PROTECTED] wrote:
[...]
So my question is:
Is there some way to make certain daemons, (say postfix)
listen only on some interfaces? For
Postfix is configurable as to which interfaces it listens to. So are samba,
courier-imap, apache. The only problem is that each one has its own
completely different kind of configuration file.
The new vserver patch (for 2.4.16) can be used to force processes to use
only one interface.
~mark
On Sat, Dec 08, 2001 at 11:57:51PM +0100, Guido Hennecke wrote:
At 08.12.2001, Phillip Hofmeister wrote:
grr...forgot to reply to list...
It was not necessary because...
From: Phillip Hofmeister [EMAIL PROTECTED]
ORyou could use IPCHAINS or IPTABLES to REJECT (or DENY) the
On Sun, Dec 09, 2001 at 12:06:26AM +1000, [EMAIL PROTECTED] wrote:
I do want sshd to listen on all (0.0.0.0) but I would like to find a way
to make it only accept connection attempts for a certain user from the
internet but still allow several other users to connect from the LAN. I
do know
Hi
On Sat, Dec 08, 2001 at 07:40:06PM +1000, [EMAIL PROTECTED] wrote:
[snip]
So, what I can figure out is that it seems that I have only
the following daemons listening: postfix, sshd, cupsd,
XF86_SVGA, portmap.
I have only deliberately decided to run postfix, sshd and
cupsd. Everything
On Sat, Dec 08, 2001 at 01:25:16PM +0200, Michael Wood wrote:
Hi
On Sat, Dec 08, 2001 at 07:40:06PM +1000, [EMAIL PROTECTED] wrote:
[snip]
So, what I can figure out is that it seems that I have only
the following daemons listening: postfix, sshd, cupsd,
XF86_SVGA, portmap.
I have
On Sat, Dec 08, 2001 at 07:39:44PM +1000, [EMAIL PROTECTED] wrote:
The only ones I didn't know about in this list are portmap and
XF86_SVGA. Firstly, I can't seem to find the config file for X where
you set the --nolisten parameter
From man Xserver(1)
-nolisten trans-type
El dom, 09 de dic de 2001, a las 00:06 +1000,
mdevin decía que:
Make sure your /etc/X11/xinit/xserverrc contains something like
this:
#!/bin/sh
exec /usr/bin/X11/X -dpi 100 -nolisten tcp
Hmmm. This file did not exist on my computer. I don't know why. I
just assumed that it
use NIS or NFS just chown the file again to executable.
OPSS, i mean chmod not chown.
--
Alberto Cortés Martín | Ing. de Telecomunicaciones
email: [EMAIL PROTECTED] | Universidad Carlos III
tel: +34 91 450 09 85 | Madrid
mobile: 600 42 77 57 | Spain
url:
At 15:06 08.12.01, you wrote:
I do want sshd to listen on all (0.0.0.0) but I would like to find a way
to make it only accept connection attempts for a certain user from the
internet but still allow several other users to connect from the LAN. I
do know how to make it accept connections for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
mdevin == mdevin [EMAIL PROTECTED] writes:
[...]
mdevin The only ones I didn't know about in this list are portmap and
mdevin XF86_SVGA. Firstly, I can't seem to find the config file for X
mdevin where you set the --nolisten parameter - but I
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote:
After reading a previous thread about stopping services from listening
on certains ports, I decided to investigate things a little further for
my system.
So, what I can figure out is that it seems that I have only the
grr...forgot to reply to list...
- Original Message -
From: Phillip Hofmeister [EMAIL PROTECTED]
To: Guido Hennecke [EMAIL PROTECTED]
Sent: Saturday, December 08, 2001 3:10 PM
Subject: Re: Can a daemon listen only on some interfaces?
ORyou could use IPCHAINS or IPTABLES to REJECT
On Sat, Dec 08, 2001 at 08:09:50PM +0100, Guido Hennecke wrote:
At 08.12.2001, Michael Wood wrote:
On Sat, Dec 08, 2001 at 07:40:06PM +1000, [EMAIL PROTECTED] wrote:
[...]
So my question is:
Is there some way to make certain daemons, (say postfix)
listen only on some interfaces? For
Postfix is configurable as to which interfaces it listens to. So are samba,
courier-imap, apache. The only problem is that each one has its own
completely different kind of configuration file.
The new vserver patch (for 2.4.16) can be used to force processes to use
only one interface.
~mark
On Sat, Dec 08, 2001 at 11:57:51PM +0100, Guido Hennecke wrote:
At 08.12.2001, Phillip Hofmeister wrote:
grr...forgot to reply to list...
It was not necessary because...
From: Phillip Hofmeister [EMAIL PROTECTED]
ORyou could use IPCHAINS or IPTABLES to REJECT (or DENY) the
On Sun, Dec 09, 2001 at 12:06:26AM +1000, [EMAIL PROTECTED] wrote:
I do want sshd to listen on all (0.0.0.0) but I would like to find a way
to make it only accept connection attempts for a certain user from the
internet but still allow several other users to connect from the LAN. I
do know
70 matches
Mail list logo
