Re: DSL & Firewall

To: Debian Users <debian-user@lists.debian.org>
Subject: Re: DSL & Firewall
From: Chewie <chewie@wookimus.net>
Date: Mon, 6 Nov 2000 23:08:57 -0600
Message-id: <[🔎] 20001106230857.C9186@wookimus.net>
Mail-followup-to: Chewie <chewie>, Debian Users <debian-user@lists.debian.org>
In-reply-to: <[🔎] Pine.LNX.4.21.0011051902060.1796-100000@darkstar>; from cwaiken@telerama.com on Sun, Nov 05, 2000 at 07:13:25PM -0500
References: <[🔎] Pine.LNX.4.21.0011051902060.1796-100000@darkstar>

On Sun, Nov 05, 2000 at 07:13:25PM -0500, Christopher W. Aiken wrote:
> My "Mom & Pop" phone company had an insert in my latest phone bill
> that indicated they would be providing DSL service in the very near
> future.  A friend of mine suggested that if I get the DSL service
> that I should set up a firewall to protect myself.  

You have a good friend! ;-)

> He also suggested that I start with a page on the net (TrinityOS at
> http://24.7.216.129:8192/) that has some basic ipchain
> configurations.  I don't understand any of this stuff, but the
> TrinityOS pages had a 100 line rc.firewall script and a 1300 line
> ipchains config file.  Is all of this really necessary?   Why cant I
> just set my "/etc/hosts.deny" file to "ALL: PARANOID", comment out
> the "telnet" "ftp" and "http" lines out of my "/etc/inetd.conf"
> file?  Wouldn't that be enough protection for my system?

It does sound like a bit of overkill, doesn't it?  Still, I wouldn't
take the information at TrinityOS lightly.  Rather, I would roll that
information into my own bag of tricks (and will shortly... I forgot
all about that site).

At a bare minimum, if that's all you want, I would install the ipmasq
package.  Personally, I'm not fond of the package, but it will get you
up and running in short order.  I have a few tips for you that might
help you in your quest for security.

    * Take heed to TrinityOS's suggestions.[1]
    * Check out LIDs (Linux Intrusion Detection System)[2]
    * Read the Linux Documentation Project's Security Guide[3]
    * Place this rule at the end of each chain while debugging:

        ipchains -A <chain> -j DENY -l

        (That means, DENY the packet and log it...
        tail -f /var/log/syslog)
                                    
    * Avoid inetd, but if you must, use xinetd.
    * Repeat this phrase: "A firewall is a firewall is a firewall."
      If at any time you catch yourself saying, "I could put <insert
      favorite service here> on the firewall." Slap yourself in the
      face and repeat the mantra again.  Repeat until you get it
      right.  If you do otherwise, just remember, "I warned you!"


References
----------
[1] http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos
[2] http://www.lids.org/
[3] 'apt-get install lasg' or http://www.linuxdoc.org/LDP/lasg/

-- 
Chad "^chewie, gunnarr" Walstrom <chewie@wookimus.net>
             http://www.wookimus.net/

Attachment: pgp22D9k1i9RB.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: DSL & Firewall
  - From: Hans Ekbrand <haek@hem.passagen.se>

References:
- DSL & Firewall
  - From: "Christopher W. Aiken" <cwaiken@telerama.com>

Prev by Date: Re: XFree86 4.0.1 crashes hard
Next by Date: SCIOSFLAGS: Resource busy
Previous by thread: Re: sendmail on debian
Next by thread: Re: DSL & Firewall
Index(es):
- Date
- Thread