Re: Listening Ports

[Tim Haynes <debian@stirfried.vegetable.org.uk>]

Alexander Reelsen <ref@tretmine.org> writes:

> On Mon, Sep 10, 2001 at 02:14:56PM +0200, Bernhard R. Link wrote:
> > On Mon, 10 Sep 2001, Alexander Reelsen wrote:
> > > First binding then firewalling is a bad idea, someone might be able
> > > to access that service via spoofing or other dirty tricks...
> >
> > I do not know very much in this area, but I was of the impression, that
> > firewalling might be more secure than giving ip, as you can only
> > specify the ip, and not the network-interface the connection comes
> > from.
>
> Well, I consider listening on a certain IP as quite secure, because you
> mostly know what ip is bound to what interface. If you want to do extra
> firewalling per-interface then you need something else than inetd.

Um. It's only as secure as it is unlikely to receive an invalid packet on
that interface. rp_filter and/or `INVALID' in iptables are pretty useful
here, in ruling out martians etc before you open a port wide open, even if
the port only exists on some of the interfaces.
 
> Both is useful, what I meant was the fact, that starting unnecessary
> services per-ip (per-interface as well ;)) and firewalling those
> afterwards is not that securitywise as not starting them at all.

For sure. As few service ports listening, on as few interfaces as possible,
with as much firewalling to back them up as possible, then we're getting
somewhere :)

~Tim
-- 
Rushing onwards, tracing the chains,        |piglet@stirfried.vegetable.org.uk
Chasing the days, chasing the days.         |http://spodzone.org.uk/