[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How secure am I?



hi ya patrick

one way to learn... only change stuff in inetd.conf and see
if anything breaks... if not... its fairly safe....
compared to leaving those puppies open..

samba is NOT affected by inetd...

other are online audit tools to help identify problems...

http://www.Linux-Sec.net/Audit

firewalls may or may not help...if the firewall itself is
vulnerable .... for the same reasons that your local pc/server
is also vulnerable...
	a firewall should be say 2x or 10x tighter in its security rules
	to be able to let ipchains or equiv do its magic...

for more firewall howtos...
http://www.Linux-Sec.net/Firewalls
	- for firewall testing -->> see penetration testing
	and firewall piercing...

c ya
alvin


On Fri, 3 Aug 2001, Patrick Kirk wrote:

> The problem with editing inetd.conf is that I don't know if I'll break
> something I need like samba.
> 
> I have a set of firewall rules I knocked up from
> http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#Strong-IPFWADM-Rule
> sets
> 
> :input REJECT
> :forward DENY
> :output REJECT
> -A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j ACCEPT
> -A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
> REJECT -l
> -A input -s 0.0.0.0/0.0.0.0 -d 217.35.25.225/255.255.255.255 -i ppp0 -j
> ACCEPT
> -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
> -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
> -A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j MASQ
> -A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
> -A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
> -A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i ppp0 -j
> REJECT -l
> -A output -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
> REJECT -l
> -A output -s 217.35.25.225/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
> ACCEPT
> -A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
> -A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
> 
> It uses a rather clever command extip="`/sbin/ifconfig ppp0 | grep 'inet
> addr' | awk '{print $2}' | sed -e 's/.*://'`" to get the external interface.
> Not sure how it'll handle a disconnect - reconnect - accept new dynamic IP
> number situation.
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 



Reply to: