Hi all,
On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote:
> One thing they forgot to mention was that they used Exchange for
> email. That means instead of running exim, I will have to forward
> SMTP & POP traffic to their Exchange server. The Exchange server
> will not be directly conne
Hi all,
On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote:
> One thing they forgot to mention was that they used Exchange for
> email. That means instead of running exim, I will have to forward
> SMTP & POP traffic to their Exchange server. The Exchange server
> will not be directly conne
Thanks for all the responses to my iptables question. From what I
read, it looks like iptables will be adequate protection for their
setup. I went to see her again yesterday to start setting things up.
One thing they forgot to mention was that they used Exchange for
email. That means instead
Thanks for all the responses to my iptables question. From what I
read, it looks like iptables will be adequate protection for their
setup. I went to see her again yesterday to start setting things up.
One thing they forgot to mention was that they used Exchange for
email. That means instead
Arnt some ICMP packets best to allow for effective routing and such?
Josh Carroll wrote:
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
suff
Arnt some ICMP packets best to allow for effective routing and such?
Josh Carroll wrote:
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
suffic
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED] writes:
>Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
>interface lo, and drop
>non-routable stuff coming from public interface.
for dev in default eth0 eth1 eth2 eth3 eth4 eth5 eth6
do
echo 1 >/proc/sys/net/ipv4
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED] writes:
>Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
>interface lo, and drop
>non-routable stuff coming from public interface.
for dev in default eth0 eth1 eth2 eth3 eth4 eth5 eth6
do
echo 1 >/proc/sys/net/ipv4
* Adrian Phillips <[EMAIL PROTECTED]> [030321 09:21]:
> Um, would you be so kind as to explain the "deluding yourself" part or
> point to some information that does so ? From what I have read on the
> net using google a good number of people use drop to help with port
> scanning (ie. port scanning
> [EMAIL PROTECTED]:~# iptables-save
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *nat
> :PREROUTING ACCEPT [17038:1364291]
> :POSTROUTING ACCEPT [1561:131055]
> :OUTPUT ACCEPT [7155:558179]
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT
> --to-ports 4
>
On Thu, 2003-03-20 at 22:10, Vineet Kumar wrote:
> * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39
> PST]:
> > Set it up to block everything and then selectively open ports until
> > everything works as desired. Depending on the applications it may be a
> > good idea to
* Adrian Phillips <[EMAIL PROTECTED]> [030321 09:21]:
> Um, would you be so kind as to explain the "deluding yourself" part or
> point to some information that does so ? From what I have read on the
> net using google a good number of people use drop to help with port
> scanning (ie. port scanning
> [EMAIL PROTECTED]:~# iptables-save
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *nat
> :PREROUTING ACCEPT [17038:1364291]
> :POSTROUTING ACCEPT [1561:131055]
> :OUTPUT ACCEPT [7155:558179]
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT
> --to-ports 4
>
> -Original Message-
> From: Josh Carroll [mailto:[EMAIL PROTECTED]
> Sent: Friday 21 March 2003 08:46
> To: debian-security@lists.debian.org
> Subject: Re: is iptables enough?
>
>
> There are a couple of reasons why I use -j DROP
> instead of -J REJECT. Fi
> "Vineet" == Vineet Kumar <[EMAIL PROTECTED]> writes:
Vineet> * Adrian 'Dagurashibanipal' von Bidder
Vineet> <[EMAIL PROTECTED]> [20030320 06:39 PST]:
>> Set it up to block everything and then selectively open ports
>> until everything works as desired. Depending on the
>>
On Thu Mar 20, 11:27pm -0800, Josh Carroll wrote:
> In general, I don't use -REJECT unless I'm worried
> about being polite. And in most circumstances,
> politeness isn't my goal ;)
Just to throw in my two cents, for each ten million people that don't
care, you've made one admin cry.
:)
pgp1wyy
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
sufficiently with an upstream equal or slightly better
than yours. That is not to say that the w
On Thu, 2003-03-20 at 22:10, Vineet Kumar wrote:
> * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]:
> > Set it up to block everything and then selectively open ports until
> > everything works as desired. Depending on the applications it may be a
> > good idea to REJ
> -Original Message-
> From: Josh Carroll [mailto:[EMAIL PROTECTED]
> Sent: Friday 21 March 2003 08:46
> To: [EMAIL PROTECTED]
> Subject: Re: is iptables enough?
>
>
> There are a couple of reasons why I use -j DROP
> instead of -J REJECT. Firstly, sending
> "Vineet" == Vineet Kumar <[EMAIL PROTECTED]> writes:
Vineet> * Adrian 'Dagurashibanipal' von Bidder
Vineet> <[EMAIL PROTECTED]> [20030320 06:39 PST]:
>> Set it up to block everything and then selectively open ports
>> until everything works as desired. Depending on the
>>
On Thu Mar 20, 11:27pm -0800, Josh Carroll wrote:
> In general, I don't use -REJECT unless I'm worried
> about being polite. And in most circumstances,
> politeness isn't my goal ;)
Just to throw in my two cents, for each ten million people that don't
care, you've made one admin cry.
:)
pgp
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
sufficiently with an upstream equal or slightly better
than yours. That is not to say that the w
please me more than being able to hire ten programmers and
deluge the hoby market with good software"...Bill Gates 1976...We're still
waiting
From: Ian Garrison <[EMAIL PROTECTED]>
To: Keegan Quinn <[EMAIL PROTECTED]>
CC: debian-security@lists.debian.org
Subject: Re: i
* Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]:
> Set it up to block everything and then selectively open ports until
> everything works as desired. Depending on the applications it may be a
> good idea to REJECT auth (identd) packets instead of dropping them -
> so
Definately true, and worth mentioning. There is also the point that
several of the punier devices that one might thrust into the horde of
angry packets might have crummy stacks or be vulnerable to the silliest of
things (especially in the case of consumer grade equipment). If the
hardware is a
please me more than being able to hire ten programmers and
deluge the hoby market with good software"...Bill Gates 1976...We're still
waiting
From: Ian Garrison <[EMAIL PROTECTED]>
To: Keegan Quinn <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: is iptables enough?
* Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]:
> Set it up to block everything and then selectively open ports until
> everything works as desired. Depending on the applications it may be a
> good idea to REJECT auth (identd) packets instead of dropping them -
> so
Definately true, and worth mentioning. There is also the point that
several of the punier devices that one might thrust into the horde of
angry packets might have crummy stacks or be vulnerable to the silliest of
things (especially in the case of consumer grade equipment). If the
hardware is a
On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
>Imo iptables is a reasonably good stateful firewall and is fine in most
> cases. However, a very wise person once said that the ideal setup is to
> layer more than one implementation of packet filter and firewall between
> the wild and
On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
>Imo iptables is a reasonably good stateful firewall and is fine in most
> cases. However, a very wise person once said that the ideal setup is to
> layer more than one implementation of packet filter and firewall between
> the wild and
On Wed, 2003-03-19 at 23:01, Stefan Neufeind wrote:
> What I find astonishing: Let's say you are running a webserver, maybe
> mailserver and a DNS on a server. What rules do you want to apply to
> the packets etc.?
I guess plain iptables should be enough for single PC or SOHO network -
you can d
> "Jones" == Jones <[EMAIL PROTECTED]> writes:
Jones> I am planning to replace a (dead) Windows 2000 computer
Jones> that was used as a web server and email server with a
Jones> Debian Linux solution. This machine is connected to the
Jones> net via DSL and would run apache an
On Thu, Mar 20, 2003 at 01:53:07PM +0100, Rolf Kutz wrote:
> How is that, since IDE and SCSI-Disks are having
> the same mechanics?
For one, the old IDE's tended to be more cheaply made.
He is right in that: for customer machines in that
era I always insisted on SCSI hard drives for speed
and rel
* Quoting I.R. van Dongen ([EMAIL PROTECTED]):
>
> On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:
>
> > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > > This should be more than enough. I have been running a mailserver on a
> > > Pentium 133MHz 96 RAM + SCS
On Wed, 2003-03-19 at 23:01, Stefan Neufeind wrote:
> What I find astonishing: Let's say you are running a webserver, maybe
> mailserver and a DNS on a server. What rules do you want to apply to
> the packets etc.?
I guess plain iptables should be enough for single PC or SOHO network -
you can d
> "Jones" == Jones <[EMAIL PROTECTED]> writes:
Jones> I am planning to replace a (dead) Windows 2000 computer
Jones> that was used as a web server and email server with a
Jones> Debian Linux solution. This machine is connected to the
Jones> net via DSL and would run apache an
On Thu, Mar 20, 2003 at 01:53:07PM +0100, Rolf Kutz wrote:
> How is that, since IDE and SCSI-Disks are having
> the same mechanics?
For one, the old IDE's tended to be more cheaply made.
He is right in that: for customer machines in that
era I always insisted on SCSI hard drives for speed
and rel
On Thu, Mar 20, 2003 at 10:31:12AM +0100, I.R. van Dongen wrote:
> I hope that machine has scsi disks like my gateway (120MB & 1GB) since with
> that low on ram your machine is always swapping. That's usually no problem,
> but IDE disks tend to wear out fast when used 24/7. With more RAM (32-40M)
* Quoting I.R. van Dongen ([EMAIL PROTECTED]):
>
> On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:
>
> > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > > This should be more than enough. I have been running a mailserver on a
> > > Pentium 133MHz 96 RAM + SCS
On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:
> On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > This should be more than enough. I have been running a mailserver on a
> > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> > mail --- ne
On Thu, Mar 20, 2003 at 10:31:12AM +0100, I.R. van Dongen wrote:
> I hope that machine has scsi disks like my gateway (120MB & 1GB) since with that low
> on ram your machine is always swapping. That's usually no problem, but IDE disks
> tend to wear out fast when used 24/7. With more RAM (32-40M)
On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:
> On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > This should be more than enough. I have been running a mailserver on a
> > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> > mail --- ne
rest of the "secure distro" or floppy-based distro for
firewall grade OS -- or a hardened debian box..
http://www.Linux-Sec.net/Distro/
- but fromt he loosk of security advisories from some
distro, its just like any other linux distro .. with
more or less tweeki
EMAIL PROTECTED]
Sent: Thursday, 20 March 2003 10:22
To: Ian Garrison
Cc: debian-security@lists.debian.org
Subject: Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe
mailserver and a DNS on a server. What rules do you want to apply to
the pa
On Wednesday 19 March 2003 22:58, Rick Moen wrote:
> You could do that with Linux Router Project floppy images -- but
> booting from floppy is really cramped. Through some miracle of
> economising on space, they finally migrated to libc6 and kernel
> 2.2.x, but God only knows how.
Hehe...
> Usi
What I find astonishing: Let's say you are running a webserver, maybe
mailserver and a DNS on a server. What rules do you want to apply to
the packets etc.?
I would suggest to keep the open ports restricted, check for all
current updates regularly (subscribe to several mailinglists etc.)
and I
Quoting Kjetil Kjernsmo ([EMAIL PROTECTED]):
> Well, I'm primarily responding to your second question, but the way I
> would do it, if I had the resources, would be to get a small Pentium
> 133 MHz box, booting from a floppy and use it as a router and firewall.
> No harddrive, a complete wastel
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> This should be more than enough. I have been running a mailserver on a
> Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> mail --- never had a problem.
Hah! Is nothing! I run a cablemodem firewall, multi
rest of the "secure distro" or floppy-based distro for
firewall grade OS -- or a hardened debian box..
http://www.Linux-Sec.net/Distro/
- but fromt he loosk of security advisories from some
distro, its just like any other linux distro .. with
more or less tweeki
Imo iptables is a reasonably good stateful firewall and is fine in most
cases. However, a very wise person once said that the ideal setup is to
layer more than one implementation of packet filter and firewall between
the wild and a host/network you wish to protect. Ideally implementations
on d
EMAIL PROTECTED]
Sent: Thursday, 20 March 2003 10:22
To: Ian Garrison
Cc: [EMAIL PROTECTED]
Subject: Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe
mailserver and a DNS on a server. What rules do you want to apply to
the packets etc.?
I would
Hello,
On Wednesday 19 March 2003 11:44 am, Jones wrote:
> I am planning to replace a (dead) Windows 2000 computer that was used
> as a web server and email server with a Debian Linux solution. This
> machine is connected to the net via DSL and would run apache and
> exim/qpopper and sshd. Every
On Wed, 2003-03-19 at 20:44, Jones wrote:
> On a less related note, what hardware config would you recommend for
> such a system? She has a number of machines that I could choose
> from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10
> GB IDE hard drives. After increasing the
On Wednesday 19 March 2003 22:58, Rick Moen wrote:
> You could do that with Linux Router Project floppy images -- but
> booting from floppy is really cramped. Through some miracle of
> economising on space, they finally migrated to libc6 and kernel
> 2.2.x, but God only knows how.
Hehe...
> Usi
Hi!
On Wednesday 19 March 2003 20:44, Jones wrote:
> Am I right in assuming that iptabes is enough as a firewall solution
> and that I would not need to buy any additional software.
Well, I'm primarily responding to your second question, but the way I
would do it, if I had the resources, woul
What I find astonishing: Let's say you are running a webserver, maybe
mailserver and a DNS on a server. What rules do you want to apply to
the packets etc.?
I would suggest to keep the open ports restricted, check for all
current updates regularly (subscribe to several mailinglists etc.)
and I
On Wed, Mar 19, 2003 at 01:44:13PM -0600, Jones remarked:
> I am planning to replace a (dead) Windows 2000 computer that
> was used as a web server and email server with a Debian Linux
> solution. This machine is connected to the net via DSL and
> would run apache and exim/qpopper and sshd. Every
Quoting Kjetil Kjernsmo ([EMAIL PROTECTED]):
> Well, I'm primarily responding to your second question, but the way I
> would do it, if I had the resources, would be to get a small Pentium
> 133 MHz box, booting from a floppy and use it as a router and firewall.
> No harddrive, a complete wastel
I am planning to replace a (dead) Windows 2000 computer that was used
as a web server and email server with a Debian Linux solution. This
machine is connected to the net via DSL and would run apache and
exim/qpopper and sshd. Everything else would be turned off. It is a
small church and thei
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> This should be more than enough. I have been running a mailserver on a
> Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> mail --- never had a problem.
Hah! Is nothing! I run a cablemodem firewall, multi
Imo iptables is a reasonably good stateful firewall and is fine in most
cases. However, a very wise person once said that the ideal setup is to
layer more than one implementation of packet filter and firewall between
the wild and a host/network you wish to protect. Ideally implementations
on d
Hello,
On Wednesday 19 March 2003 11:44 am, Jones wrote:
> I am planning to replace a (dead) Windows 2000 computer that was used
> as a web server and email server with a Debian Linux solution. This
> machine is connected to the net via DSL and would run apache and
> exim/qpopper and sshd. Every
On Wed, 2003-03-19 at 20:44, Jones wrote:
> On a less related note, what hardware config would you recommend for
> such a system? She has a number of machines that I could choose
> from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10
> GB IDE hard drives. After increasing the
Hi!
On Wednesday 19 March 2003 20:44, Jones wrote:
> Am I right in assuming that iptabes is enough as a firewall solution
> and that I would not need to buy any additional software.
Well, I'm primarily responding to your second question, but the way I
would do it, if I had the resources, woul
On Wed, Mar 19, 2003 at 01:44:13PM -0600, Jones remarked:
> I am planning to replace a (dead) Windows 2000 computer that
> was used as a web server and email server with a Debian Linux
> solution. This machine is connected to the net via DSL and
> would run apache and exim/qpopper and sshd. Every
I am planning to replace a (dead) Windows 2000 computer that was used
as a web server and email server with a Debian Linux solution. This
machine is connected to the net via DSL and would run apache and
exim/qpopper and sshd. Everything else would be turned off. It is a
small church and thei
66 matches
Mail list logo