Re: How secure am I?
hi ya patrick
one way to learn... only change stuff in inetd.conf and see
if anything breaks... if not... its fairly safe....
compared to leaving those puppies open..
samba is NOT affected by inetd...
other are online audit tools to help identify problems...
http://www.Linux-Sec.net/Audit
firewalls may or may not help...if the firewall itself is
vulnerable .... for the same reasons that your local pc/server
is also vulnerable...
a firewall should be say 2x or 10x tighter in its security rules
to be able to let ipchains or equiv do its magic...
for more firewall howtos...
http://www.Linux-Sec.net/Firewalls
- for firewall testing -->> see penetration testing
and firewall piercing...
c ya
alvin
On Fri, 3 Aug 2001, Patrick Kirk wrote:
> The problem with editing inetd.conf is that I don't know if I'll break
> something I need like samba.
>
> I have a set of firewall rules I knocked up from
> http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#Strong-IPFWADM-Rule
> sets
>
> :input REJECT
> :forward DENY
> :output REJECT
> -A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j ACCEPT
> -A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
> REJECT -l
> -A input -s 0.0.0.0/0.0.0.0 -d 217.35.25.225/255.255.255.255 -i ppp0 -j
> ACCEPT
> -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
> -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
> -A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j MASQ
> -A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
> -A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
> -A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i ppp0 -j
> REJECT -l
> -A output -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
> REJECT -l
> -A output -s 217.35.25.225/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
> ACCEPT
> -A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
> -A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
>
> It uses a rather clever command extip="`/sbin/ifconfig ppp0 | grep 'inet
> addr' | awk '{print $2}' | sed -e 's/.*://'`" to get the external interface.
> Not sure how it'll handle a disconnect - reconnect - accept new dynamic IP
> number situation.
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: