Re: question about ipchains on dual interface machine
On Thu, 11 Oct 2001 fireball82@gmx.net wrote:
> Hello Mike, hello List.
>
>
> On Wed, Oct 10, 2001 at 11:37:36AM -0400, Mike Dresser wrote:
> [...]
> > I want to deny ports 23, 37,137,139, etc, from the Internet, but allow
> > them from Y.
> [...]
>
> What about configuring services to listen only on one _specific_
> interface/ip? (In your case Y) So you perhaps don't have to take care about
> an confusing firewall setup... hiding services is not the way[tm] to make or
> keep a network secure.
This has the slightly nasty side-effect of putting the IP address in many
config files (and next time you want to change the internal IP
address...).
Also, consider this some sort of passimistic configuration: you can't be
sure if you'll remember to configure correctly serveices X, Y, Z and W
(and debian is far from being "secure by default". Who knows what an
unexpected upgrade might do?).
So in your ipchains configuration you make sure that (almost) no matter
how badly those daemons are configured, they still can't be accessed from
the internet.
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
Reply to: