[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: laptop protection in an office network

On Sat, August 29, 2015 1:39 pm, Reco wrote:

> Something like this should save you from the most troubles provided
> that you don't plan to use your laptop as a print server or NFS:

I am not sure how "print server" is defined.  I installed CUPS so that I
can print to a laser printer in my home network.  And if my client gives
me a URL which I view on the laptop, it would be nice to be able to
bookmark the URL and, once I am back home, bring up  and print the web
page directly from the laptop.

As to NSF, I had to search with google to find the definition.  No, on the
laptop and in my LAN the only drives accessed are internal, formatted with
ext4, and an external USB.


> iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT
> -p icmp -j ACCEPT
> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT
> -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
> -j ACCEPT
> iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j
> ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp
> --dport 123 -j ACCEPT
>
> iptables -P FORWARD DROP
>
> ip6tables -P INPUT DROP ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j
> ACCEPT
> ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j
> ACCEPT
> ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT ip6tables -A INPUT -p udp
> --dport 123 -j ACCEPT
>
> ip6tables -P FORWARD DROP
>
>
> Of course, it's *very* simplistic set of rules (for example, someone
> may consider accepting ssh connections from arbitrary hosts a bad idea),
> but it should work.

And I thank you.


> Two things I'm unsure of are:
>
> 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office
> network), but YMMV.

I have been running Debian for thirteen years, but I know absolutely
nothing about avahi.  It must have been installed by default, or else,
perhaps as a dependency of some other package.


> 2) Whatever thing you're listening for on tcp 9999 with inetd.

Ah!  9999 is the port used by the approx server.  Months ago I had to
install Debian on a system in another location which had a substandard DSL
connection.  And whenever I do a Debian netinst, I always use approx,
"just in case".  So that is why I installed approx on the laptop.

RLH
Reply to: