Re: Bastille-Linux and Debian
On Thu, 2 Nov 2000, Ethan Benson wrote:
> On Thu, Nov 02, 2000 at 03:39:46PM +0100, Robert Varga wrote:
> >
> > It probably examines your current ports via something similar to netstat,
> > to know what services on what ports are needed and creates a firewall
> > script that creates the rules according to actual ip, that is good for
> > that state of the system, as it was in upon running the build script. It
> > probably knows a couple of protocols which needs special handling, eg.
> > ftp.
>
> handling ftp means opening up large ranges of ports, same with irc
> stuff (dcc et al)
Handling ftp does not need that much. In active mode the server initiates
the data connection with source port ftp-data(20) and that needs
only one rule.
It only breaks the passive transfer mode.
As for irc: DCC is between the clients, it has nothing to do with the
server. The only traffic on an irc server is the client initiated
connections to the irc server port (usually 6667). If the irc server is
running at the time of the hardening process, then it can be detected and
the appropriate rules permitting connection to the irc server can be
created.
If an irc client wants to use DCC, then some manual intervention on the
firewall rules is probably needed, if all traffic is blocked.
Regards,
Robert Varga
>
> > It probably just filters out everything which is not traffic to the
> > then-active server processes, and sets up a few anti-spoofing rules.
>
> this would probably break loads of other protocols, then just ftp and
> irc. by the time you allow for a usable internet connection there are
> many many ports which users could attach daemons to.
>
> then again maybe it simply disables all internet access accept for
> www, but i wouldn't call that usable.
>
> --
> Ethan Benson
> http://www.alaska.net/~erbenson/
>
Reply to: