Re: firewall

[Alvin Oga <aoga@Maggie.Linux-Consulting.com>]

hi ya tom...

lets see... a fully loaded question ya posed...

you can run nmap from various online web-based testors
	http://www.Linux-Sec.net/Audit/nmap.test.gwif.html

for the firewall ... 
	- it should be running a "secure linux/bsd distro"
	and only ipchains....
	( some might wanna run dns on it too...but...

	- iptables belong on the firewall in your pic below..
	not with the router

	http://www.Linux-Sec.net/distro.gwif.html#hardened

for the rest of your systems..
	- no telnet is ever needed .. ( well, mostly not...

	- smtp is only needed on the machine to send/receive emals...
	turn it off otherwise...

	- "domain" is only needed on the primary and secondary dns 
	for your domain ... turn it off otherwise

	- you should keep the insecure pop3 services on an
	insecure/hackable server ... at least wrap it  and disallow
	all ip#  from connecting except the windoze pc wanting to pop
	emails .. turn if off otherwise..

	- sunrpc ... turn it off if you are not manually or automounting
	this server to/from any other server...
		- user sercure nfs and secure rpc etc... if you do

	- turn off the printer stuff... only one machine ( print server )

== turn it all off... except for the one service/deamon you need

fun stuff ??...

c ya
alvin
http://www.Linux-Sec.net


On Mon, 10 Sep 2001, Tom Breza wrote:

> 
> Hi
> 
> I been installing firewall on iptables, and I have few questions,
> my situation is beet specyfic
> I am connecetd to internet somthing like this
> 
> ----------+	  +------------------+	
> my network|-------+eth0  Router  ppp0+----+ISP Firewall+------INTERNET
>           |       |with iptables     |	
> --------- +	  +------------------+	
> 
> I put the firwall on iptables on router, Linux box with debian 
> but I can scan only via nmap from inside network or from router interfaces
> ppp0 to see what ports I have open,
> 
> but my question is
> 
> When I scan that way nmap -v -sS -O ppp0(I give IP address)
> then I heve some port open, 
> shoud I make them filtered?!
> 
> my open ports are 
> 
> Service| Port| State 
> ------------------
> ssh    | 22  | Open
> telnet | 23  | Open
> smtp   | 25  | Open
> domain | 53  | Open
> pop-3  | 110 | Open
> sunrpc | 111 | Open
> printer| 515 | Open
> kdm    |1024 | Open
> 
> 
> netstat -anp return this .....
> 
> router:/home/tom# netstat -anp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> PID/Program name   
> tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN
> 509/rpc.mountd      
> tcp        0      0 0.0.0.0:515             0.0.0.0:*               LISTEN
> 491/lpd             
> tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
> 485/inetd           
> tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
> 97/portmap          
> tcp        0      0 10.16.34.56:53          0.0.0.0:*               LISTEN
> 447/named           
> tcp        0      0 192.168.253.254:53      0.0.0.0:*               LISTEN
> 447/named           
> tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
> 447/named           
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
> 517/sshd            
> tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
> 485/inetd           
> tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
> 485/inetd           
> tcp        0      0 192.168.253.254:22      192.168.253.20:2209
> ESTABLISHED 12226/sshd          
> tcp        0      0 192.168.253.254:22      192.168.253.20:1666
> ESTABLISHED 2544/sshd           
> udp        0      0 0.0.0.0:1024            0.0.0.0:*
> 447/named           
> udp        0      0 0.0.0.0:2049            0.0.0.0:*
> -                   
> udp        0      0 0.0.0.0:1026            0.0.0.0:*
> -                   
> udp        0      0 0.0.0.0:1027            0.0.0.0:*
> 509/rpc.mountd      
> udp        0      0 10.16.34.56:53          0.0.0.0:*
> 447/named           
> udp        0      0 192.168.253.254:53      0.0.0.0:*
> 447/named           
> udp        0      0 127.0.0.1:53            0.0.0.0:*
> 447/named           
> udp        0      0 0.0.0.0:111             0.0.0.0:*
> 97/portmap          
> Active UNIX domain sockets (servers and established)
> Proto RefCnt Flags       Type       State         I-Node PID/Program name
> Path
> unix  2      [ ACC ]     STREAM     LISTENING     380    447/named
> /var/run/ndc
> unix  6      [ ]         DGRAM                    332    435/syslogd
> /dev/log
> unix  2      [ ACC ]     STREAM     LISTENING     546    491/lpd
> /dev/printer
> unix  2      [ ]         DGRAM                    781    540/pppd            
> unix  2      [ ]         DGRAM                    538    491/lpd             
> unix  2      [ ]         DGRAM                    434    460/diald           
> unix  2      [ ]         DGRAM                    378    447/named           
> 
> 
> what shoud I do? How can I close for example lpd ?
> or sunrpc ?
> shoud I block all this port by giving specyfic IP ?
> in man for nmap is writen:
> "... Filtered  means  that a firewall, filter, or
>      other network obstacle is covering the port 
>      and  preventing  nmap  from determining  whether  
>      the port is open."
> if I will make filtered somehow?! can I still connect to my router via
> ssh? orother way?
> what is your advice?
> 
> any sugestion will be greatfull :)
> 
> siaraX
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>