Re: nfs and firewall
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, 3 Sep 2000, Carel Fellinger wrote:
> On Sun, Sep 03, 2000 at 06:01:09AM +0200, Sebastian Ritter wrote:
> > On Sat, 2 Sep 2000, Carel Fellinger wrote:
> > > Hai,
> > >
> > > I'm trying to secure my system, I ran pmfirewall and some tests.
> > > It seems that rpc.mountd still listens on port 1024 even on the
> > > outgoing ethernet.
> > You can find a lot of informations on how to set up Firewalls in the
> > IPCHAINS-HOWTO. You can find that document under http://www.linuxdoc.org/.
> I know, I'm reading it. But it takes time to fully understand it:(
It's worth the time ;-)
> > Using the firewall as a mail and news server is extremely dangerous. The
> > best firewall would be a dedicated machine which ONLY acts as a
> > firewall and does nothing more. I think any company that's a little bit
> > nervous about security should afford that.
> I'm not a company:), and I never intent to provide internet services.
> Those services are for the localnet only! I want them to get denied on
> the external (internet) ethernet. I don't know yet whether that still
> compromises security (I've a lot of reading to do:), so for the time
> being I would appreciate a verdict from a more experienced person.
> Do you think that even in the above situation local only mail/news
> services are a bad thing? And is that because once you get cracked
> the cracker has access to your local news and mail spool?
Oh, I thought you were a company because you spoke about a LAN, hmm, i've
got a LAN with three machines at home too... ;-)
Yeah, once you get cracked the cracker has access to mail and news spool,
but these services could also be used to break into the machine. Be sure
to watch out for the latest security updates for these services and
that you do not offer these services to the internet, ONLY to the
internal LAN. Maybe you could read the debian-security-announce mailing
list to keep your software secure.
> > It seems to me that you are very new to IP security. I'd strongly advise
> > you to buy external support or read lots of related books, e. g. "Building
> > Internet Firewalls 2nd Edition" by O'Reilly to gain the basic
> > skills. Otherwise it's very likely that you'll get cracked. ;-)
> I've no money to spent on this, so I will have to read and read and read...
> It's just that in the mean time i would prefer to have a safe machine:)
> I understood from reading sofar that as long as you don't expose any service
> to the outside world you are safe, don't know for sure yet though.
A safe machine is never connected to the internet. ;-)
What you need to break into a system is a physical connection and enough
time. Even with the best firewall.
Just shut down all the services you don't need on the machine and set up
ipchains rules as described in IPCHAINS-HOWTO, that should be enough
security for a home machine I believe. And watch /var/log/messages for
strange things from time to time. That's even more secure than the
"fireholes" of many companies if you spend some time on it.
But for commercial use there are better solutions, but they are expensive
or not very easy to use or both... ;-)
Just my $0.02
email: firstname.lastname@example.org gpg: 0A17B8EC icq: 86831140
Key fingerprint = C693 9161 F596 6333 C22D 1BCC F385 A303 0A17 B8EC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----