RE: DSL & Firewall

[mike <mikpolniak@adelphia.net>]

On Mon, 06 Nov 2000 00:32:29 +0000 (UTC), Pollywog said:

> 
>  On 06-Nov-2000 Christopher W. Aiken wrote:
>  > 
>    Why cant I just set my "/etc/hosts.deny"
>  > file to "ALL: PARANOID", comment out the "telnet" "ftp" and
>  > "http" lines out of my "/etc/inetd.conf" file?  Wouldn't
>  > that be enough protection for my system?
>  > 
>  
>  It is not enough, because most services do not run from inetd and don't use
>  TCP Wrappers.  You do need the firewall.  I see all sorts of connection
>  attempts on my DSL.  Many are probably innocent, but I would guess that some
>  of them are script kiddies.


        
	After turning off services including inetd and making sure all
other servers like X-server ,font server and sql server were 
running with '-nolisten tcp'  i am able to run 'nmap' so all my
65535 ports are closed.
	Running an intrusion detection program 'firestarter' shows
my cable box is getting all kinds of hits including Netbios from
windows boxes . Now i do have ipchains also setup on my stand
alone computer but i felt a firewall with NAT(ip masquerading)
would isolate me from those cable hits which could be anything.
	I estimated an old 486 and some NIC's would cost about a
$100. But since i didn't want another noisy big box around i
got a Netgear gateway-router for only a few dollars more.
	This little gem has a 4-port 10/100 switch built in for your LAN,      
   acts as DHCP client and server, does NAT and has programmable   filters just
like ipchains rules.
	I was able to just plug it  in and use it with default filters, as it
gets DHCP from the cable modem. Now when i run intrusion
detection i have no hits on my internal single box LAN. You can
see the review and user opinions at practicallynetworked.com.
-- 
gEEk||dOOd^Deb+iaN&&XFce$aaZZ goes<Pronto>(-_-)