[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about ipchains on dual interface machine

Hello Mike, hello List.

On Wed, Oct 10, 2001 at 11:37:36AM -0400, Mike Dresser wrote:
> I want to deny ports 23, 37,137,139, etc, from the Internet, but allow
> them from Y.

What about configuring services to listen only on one _specific_
interface/ip? (In your case Y) So you perhaps don't have to take care about
an confusing firewall setup... hiding services is not the way[tm] to make or
keep a network secure.

Even if there are running non-vunerable services (you never know, don't
trust software that isn't your own ;-)) on the machine, always keep in mind
that even authorised users can externally compromise your network accidently
or malicous by using world-accessible services (without needing to be...)

Fixing samba (137 and 139) on linux machines, for example, by putting two
lines into /etc/samba/smb.conf:

   interfaces = eth0
   bind interfaces only = True


Reply to: