Re: net protection - firewalls
Matt Johnson wrote:
Hi all,
Two comments in recent threads have prompted me to ask
this...
Firstly, someone mentioned that ipmasq isn't a
firewall, but is a good starting point.
And secondly, there's been talk of people receiving
attempts to crack their machines, which I guess must
be happening to me too.
Ok. I installed ipmasq on my linux 'gateway' for
NATing (I think that's correct?) my linux and windows
home machines that sit behind it. It's been running
for about 3 months. I don't have any firewalls on the
machine behind the gateway, so the gateway is the only
security. I've left ipmasq as it comes out of the box
and it all seems to work fine. Is this insecure? Which
log should I be checking for possible intruders?
Action for me... I was wondering if I understand this
correctly - I could replace ipmasq with firehol (which
is 'stateful'?)? Are they interchangable? Do they do
the same thing? Are they both called 'firewalls' of
sorts?
Or should I just leave well alone and keep a watchful
eye somewhere?
Thanks in advance.
Hosts on the internet can only connect to other hosts that they can see.
In you case, they can see your gateway, but not the rest of the LAN.
Mostly, hosts on the internet can only connect to ports that are open.
I say "mostly," because there have been bugs in various IP stacks that
allowed other hosts to do evil things without finding an open port.
Probably the most famous was Teardrop that affected, amongst other
things, Windows 95, Windows 98 (well after the fix for Windows 95 was
released!) and Linux. Famously, the Linux fix was available in less than
24 hours.
Mostlly, though, attacks succeed through open ports such as 25 (incoming
mail) 80 (web servers) and such. Actually, a firewall isn't going to do
a lot to help you there _unless_ you have one that detects bad traffic
(such as connects to ports nobody has any business connecting to on
_your_ system) and then denies access to from the bad side to all your
network.
ISPs could do a lot of good here by detecting code red (it's still
around) and other nasties and
a) Shutting down sources in their own networks
b) shutting out sources from outside their networks.
You can use firewall software on your gateway to block and log all
traffic you don't want. You will see lots of traffic from people
hammering on your door. This can also help to block connexions to
misconfigured daemons on your gateway: if you happen to be running
postgresl there, you could have it listening to all IP addresses, but
connexion from external hosts can't reach it because your firewall rules
block them.
Better, of course, to configure postgresql properly, but that can be
tricky. Something I've been puzzling over lately is this setup:
<net> --- <Billion DSL router> --- host 1
--- host2
--- host 3
host 1 runs a server, for the Internet, but the Billion's got the
external IP. I can have internal and external traffic both arriving on
the one interface, say eth0 with an internal IP, say 192.168.1.1
Writing firewall rules using iptables is not a task for a beginner, and
there are several higher-level packages available to help with the task.
I use shorewall, but there are others.
Now, despite your firewall, there's traffic that comes right through it
_at your invitation,_ no less! Consider www requests such as that 26
Mbyte SP2 for XP. Email.
Those can do bad things too, and that's where content filters such as
spamassassin (email), MimeDefang (email), Squidguard, DansGuardian and
your AV software come in.
Fifty bucks please:-)
--
Cheers
John
-- spambait
1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
Reply to: