Re: net protection - firewalls

To: debian-user@lists.debian.org
Subject: Re: net protection - firewalls
From: Matt Johnson <johnsonmlw@yahoo.com>
Date: Tue, 10 Aug 2004 16:02:13 +0100 (BST)
Message-id: <[🔎] 20040810150213.34521.qmail@web50809.mail.yahoo.com>
In-reply-to: <[🔎] 4118CB63.6010900@ComputerDatasafe.com.au>

 --- John Summerfield <debian@ComputerDatasafe.com.au>
wrote: 
> Hosts on the internet can only connect to other
> hosts that they can see. 
> In you case, they can see your gateway, but not the
> rest of the LAN.
> 
> Mostly, hosts on the internet can only connect to
> ports that are open.
> 
> I say "mostly," because there have been bugs in
> various IP stacks that 
> allowed other hosts to do evil things without
> finding an open port. 
> Probably the most famous was Teardrop  that
> affected, amongst other 
> things, Windows 95, Windows 98 (well after the fix
> for Windows 95 was 
> released!) and Linux. Famously, the Linux fix was
> available in less than 
> 24 hours.
> 
> Mostlly, though, attacks succeed through open ports
> such as 25 (incoming 
> mail) 80 (web servers) and such. Actually, a
> firewall isn't going to do 
> a lot to help you there _unless_ you have one that
> detects bad traffic 
> (such as connects to ports nobody has any business
> connecting to on 
> _your_ system) and then denies access to from the
> bad side to all your 
> network.
> 
> ISPs could do a lot of good here by detecting code
> red (it's still 
> around) and other nasties and
> a) Shutting down sources in their own networks
> b) shutting out sources from outside their networks.
> 
> You can use firewall software on your gateway to
> block and log all 
> traffic you don't want. You will see lots of traffic
> from people 
> hammering on your door. This can also help to block
> connexions to 
> misconfigured daemons on your gateway: if you happen
> to be running 
> postgresl there, you could have it listening to all
> IP addresses, but 
> connexion from external hosts can't reach it because
> your firewall rules 
> block them.
> 
> Better, of course, to configure postgresql properly,
> but that can be 
> tricky.
> 
> Writing firewall rules using iptables is not a task
> for a beginner, and 
> there are several higher-level packages available to
> help with the task. 
> I use shorewall, but there are others.
> 
> Now, despite your firewall, there's traffic that
> comes right through it 
> _at your invitation,_ no less! Consider www requests
>  such as that 26 
> Mbyte SP2 for XP. Email.
> 
> Those can do bad things too, and that's where
> content filters such as 
> spamassassin (email), MimeDefang (email),
> Squidguard, DansGuardian and 
> your AV software come in.

Thanks for taking the time to put together such a
comprehensive answer.


> Fifty bucks please:-)

Yes, well... check's in the post (!) ;)

--
Matt


	
	
		
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com

Reply to:

Follow-Ups:
- Re: net protection - firewalls
  - From: John Summerfield <debian@ComputerDatasafe.com.au>

References:
- Re: net protection - firewalls
  - From: John Summerfield <debian@ComputerDatasafe.com.au>

Prev by Date: Re: Need lilo help - won't boot Win2k
Next by Date: Re: Need lilo help - won't boot Win2k
Previous by thread: Re: net protection - firewalls
Next by thread: Re: net protection - firewalls
Index(es):
- Date
- Thread