[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall

Rishi L Khan <rishi@UDel.Edu> writes:

> If you're not using sunrpc or lpd, I would turn them off. The way I do it
> is turn off the services (/etc/init.d/portmap stop; /etc/init.d/lpd stop)
> and then edit /etc/init.d/lpd and /etc/init.d/portmap and add a line near
> the top that says "exit 0" (w/o quotes) so that when you restart, they
> don't come back.

It should be sufficient to do
        update-rc.d -f portmap remove
        update-rc.d -f lpd remove
        update-rc.d -f bind remove

although, really, `dpkg -P portmap' is more like it.

> Also, if you don't need telnet, turn that off by commenting out the line
> starting with "telnet" in the /etc/inetd.conf file. Then restart inetd or
> send a kill -HUP to it.

No firewall should *EVER* run telnetd. Period. Purge the package, learn to
use ssh for everything.

> Addtionally, your firewall should filter all incoming tcp connection
> requests except the ones you want to keep (like ssh, etc). I'm not sure
> how to do that in iptables, because I use ipchains.

My script, previously plugged, does this with connection tracking. 

    iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A block -m state --state INVALID -j DROP
right at the top, then
    iptables -A block -p tcp --destination-port 22 -j ACCEPT
to open ssh to all incoming hosts, then
    iptables -A block -j DROP
to drop everything else.

   17:20:49 up 44 days,  7:19, 15 users,  load average: 0.01, 0.06, 0.03
piglet@stirfried.vegetable.org.uk |no se encuentra el sistema operativo
http://piglet.is.dreaming.org     |(seen mid-windows 98 installation)

Reply to: