Re: question about ipchains on dual interface machine

To: <fireball82@gmx.net>
Cc: <debian-firewall@lists.debian.org>
Subject: Re: question about ipchains on dual interface machine
From: Tzafrir Cohen <tzafrir@technion.ac.il>
Date: Thu, 11 Oct 2001 10:30:51 +0200 (IST)
Message-id: <Pine.GSO.4.33_heb2.09.0110111023330.22346-100000@csd>
In-reply-to: <20011011003106.A14276@inferno.ruley.org>

On Thu, 11 Oct 2001 fireball82@gmx.net wrote:

> Hello Mike, hello List.
>
>
> On Wed, Oct 10, 2001 at 11:37:36AM -0400, Mike Dresser wrote:
> [...]
> > I want to deny ports 23, 37,137,139, etc, from the Internet, but allow
> > them from Y.
> [...]
>
> What about configuring services to listen only on one _specific_
> interface/ip? (In your case Y) So you perhaps don't have to take care about
> an confusing firewall setup... hiding services is not the way[tm] to make or
> keep a network secure.

This has the slightly nasty side-effect of putting the IP address in many
config files (and next time you want to change the internal IP
address...).

Also, consider this some sort of passimistic configuration: you can't be
sure if you'll remember to configure correctly serveices X, Y, Z and W
(and debian is far from being "secure by default". Who knows what an
unexpected upgrade might do?).

So in your ipchains configuration you make sure that (almost) no matter
how badly those daemons are configured, they still can't be accessed from
the internet.

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir

Reply to:

References:
- Re: question about ipchains on dual interface machine
  - From: fireball82@gmx.net

Prev by Date: Re: question about ipchains on dual interface machine
Next by Date: IP Aliasing
Previous by thread: Re: question about ipchains on dual interface machine
Next by thread: Re: question about ipchains on dual interface machine
Index(es):
- Date
- Thread