Re: laptop protection in an office network
On Sat, August 29, 2015 1:39 pm, Reco wrote:
> Something like this should save you from the most troubles provided
> that you don't plan to use your laptop as a print server or NFS:
I am not sure how "print server" is defined. I installed CUPS so that I
can print to a laser printer in my home network. And if my client gives
me a URL which I view on the laptop, it would be nice to be able to
bookmark the URL and, once I am back home, bring up and print the web
page directly from the laptop.
As to NSF, I had to search with google to find the definition. No, on the
laptop and in my LAN the only drives accessed are internal, formatted with
ext4, and an external USB.
> iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT
> -p icmp -j ACCEPT
> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT
> -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
> -j ACCEPT
> iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j
> ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp
> --dport 123 -j ACCEPT
>
> iptables -P FORWARD DROP
>
> ip6tables -P INPUT DROP ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j
> ACCEPT
> ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j
> ACCEPT
> ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT ip6tables -A INPUT -p udp
> --dport 123 -j ACCEPT
>
> ip6tables -P FORWARD DROP
>
>
> Of course, it's *very* simplistic set of rules (for example, someone
> may consider accepting ssh connections from arbitrary hosts a bad idea),
> but it should work.
And I thank you.
> Two things I'm unsure of are:
>
> 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office
> network), but YMMV.
I have been running Debian for thirteen years, but I know absolutely
nothing about avahi. It must have been installed by default, or else,
perhaps as a dependency of some other package.
> 2) Whatever thing you're listening for on tcp 9999 with inetd.
Ah! 9999 is the port used by the approx server. Months ago I had to
install Debian on a system in another location which had a substandard DSL
connection. And whenever I do a Debian netinst, I always use approx,
"just in case". So that is why I installed approx on the laptop.
RLH
Reply to: