Hello there, guys: I have set up a linux box (RH 7.1) to use as a firewall between 2 tiny LANs and the internet, it looks like this:
(sorry for the poor "art") eth2 ********************* (((((((((((( eth0 **************<------>** LAN2(Win 9x) ** ((Internet((<----->** LINUX ** ********************* (((((((((((( ** RH 7.1 ** ********************* **************<------>**LAN1(Win - linux)** eth1 ********************* So far, the linux box is used, as I said, to firewall the internal LANs (currently there's only one PC attached to each internal nic) and to share a unique connection to the outside world. We are not providing any public services, no servers at all, except for ssh to manage the firewall and webwasher as a proxy (to avoid ads ), all this is planned to be accesible only from the internal side. I am no guru at all (just the only one who is willing to play and learn with linux and security). So, while I'm learning to properly manage with this stuff, I am blocking (DROPPING) all SYN packets that come from outside and allowing incoming SYNs from the internal side (but only to ssh and webwasher). Any other traffic is allowed. So, nmap -sS reports everything filtered, but nmap -sF is able to find the X server, webwasher and ssh. Local security is not a problem ( oh, well, I know you can never be so sure, but let's say it's reasonably secure ;-} ), but I am wondering if I'm missing something here (surely I do)... my reasoning here is "if they cannot connect to any port with a Syn, then they cannot get a login prompt or any other thing so as to get root". Well I imagine that if they can compromise one of the internal machines then they could get to one port on the firewall (I know I shouldn't run a firewall and servers on the same box, but there's budget considerations here, a pitty we are not on a perfect world...) anyway if I don't do DNAT or put a service on the internal PCs I think it gets rather difficult to a remote hacker, OR NOT?. Ok, I have this "Frankestein" running and attached to the net for about 3 weeks... Have I been too naive and maybe they already rooted me? Any comments and help are welcome, please forgive my english if I have commited any mistakes and also the rather lengthy message... I'll do it shorter the next time. -- Best regards, Juan mailto:[EMAIL PROTECTED]