Re: firewall
hi ya tom...
lets see... a fully loaded question ya posed...
you can run nmap from various online web-based testors
http://www.Linux-Sec.net/Audit/nmap.test.gwif.html
for the firewall ...
- it should be running a "secure linux/bsd distro"
and only ipchains....
( some might wanna run dns on it too...but...
- iptables belong on the firewall in your pic below..
not with the router
http://www.Linux-Sec.net/distro.gwif.html#hardened
for the rest of your systems..
- no telnet is ever needed .. ( well, mostly not...
- smtp is only needed on the machine to send/receive emals...
turn it off otherwise...
- "domain" is only needed on the primary and secondary dns
for your domain ... turn it off otherwise
- you should keep the insecure pop3 services on an
insecure/hackable server ... at least wrap it and disallow
all ip# from connecting except the windoze pc wanting to pop
emails .. turn if off otherwise..
- sunrpc ... turn it off if you are not manually or automounting
this server to/from any other server...
- user sercure nfs and secure rpc etc... if you do
- turn off the printer stuff... only one machine ( print server )
== turn it all off... except for the one service/deamon you need
fun stuff ??...
c ya
alvin
http://www.Linux-Sec.net
On Mon, 10 Sep 2001, Tom Breza wrote:
>
> Hi
>
> I been installing firewall on iptables, and I have few questions,
> my situation is beet specyfic
> I am connecetd to internet somthing like this
>
> ----------+ +------------------+
> my network|-------+eth0 Router ppp0+----+ISP Firewall+------INTERNET
> | |with iptables |
> --------- + +------------------+
>
> I put the firwall on iptables on router, Linux box with debian
> but I can scan only via nmap from inside network or from router interfaces
> ppp0 to see what ports I have open,
>
> but my question is
>
> When I scan that way nmap -v -sS -O ppp0(I give IP address)
> then I heve some port open,
> shoud I make them filtered?!
>
> my open ports are
>
> Service| Port| State
> ------------------
> ssh | 22 | Open
> telnet | 23 | Open
> smtp | 25 | Open
> domain | 53 | Open
> pop-3 | 110 | Open
> sunrpc | 111 | Open
> printer| 515 | Open
> kdm |1024 | Open
>
>
> netstat -anp return this .....
>
> router:/home/tom# netstat -anp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> PID/Program name
> tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN
> 509/rpc.mountd
> tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
> 491/lpd
> tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
> 485/inetd
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
> 97/portmap
> tcp 0 0 10.16.34.56:53 0.0.0.0:* LISTEN
> 447/named
> tcp 0 0 192.168.253.254:53 0.0.0.0:* LISTEN
> 447/named
> tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
> 447/named
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
> 517/sshd
> tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
> 485/inetd
> tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
> 485/inetd
> tcp 0 0 192.168.253.254:22 192.168.253.20:2209
> ESTABLISHED 12226/sshd
> tcp 0 0 192.168.253.254:22 192.168.253.20:1666
> ESTABLISHED 2544/sshd
> udp 0 0 0.0.0.0:1024 0.0.0.0:*
> 447/named
> udp 0 0 0.0.0.0:2049 0.0.0.0:*
> -
> udp 0 0 0.0.0.0:1026 0.0.0.0:*
> -
> udp 0 0 0.0.0.0:1027 0.0.0.0:*
> 509/rpc.mountd
> udp 0 0 10.16.34.56:53 0.0.0.0:*
> 447/named
> udp 0 0 192.168.253.254:53 0.0.0.0:*
> 447/named
> udp 0 0 127.0.0.1:53 0.0.0.0:*
> 447/named
> udp 0 0 0.0.0.0:111 0.0.0.0:*
> 97/portmap
> Active UNIX domain sockets (servers and established)
> Proto RefCnt Flags Type State I-Node PID/Program name
> Path
> unix 2 [ ACC ] STREAM LISTENING 380 447/named
> /var/run/ndc
> unix 6 [ ] DGRAM 332 435/syslogd
> /dev/log
> unix 2 [ ACC ] STREAM LISTENING 546 491/lpd
> /dev/printer
> unix 2 [ ] DGRAM 781 540/pppd
> unix 2 [ ] DGRAM 538 491/lpd
> unix 2 [ ] DGRAM 434 460/diald
> unix 2 [ ] DGRAM 378 447/named
>
>
> what shoud I do? How can I close for example lpd ?
> or sunrpc ?
> shoud I block all this port by giving specyfic IP ?
> in man for nmap is writen:
> "... Filtered means that a firewall, filter, or
> other network obstacle is covering the port
> and preventing nmap from determining whether
> the port is open."
> if I will make filtered somehow?! can I still connect to my router via
> ssh? orother way?
> what is your advice?
>
> any sugestion will be greatfull :)
>
> siaraX
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to:
- References:
- firewall
- From: Tom Breza <tom@PCService-NET.co.uk>