[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: laptop protection in an office network



On Sat, 29 Aug 2015 14:05:57 -0500
rlharris@oplink.net wrote:

> On Sat, August 29, 2015 1:39 pm, Reco wrote:
> 
> > Something like this should save you from the most troubles provided
> > that you don't plan to use your laptop as a print server or NFS:
> 
> I am not sure how "print server" is defined.

An installed CUPS that allows connections from any host other than
yours. Currently it's not your case.


> As to NSF, I had to search with google to find the definition.  No, on the
> laptop and in my LAN the only drives accessed are internal, formatted with
> ext4, and an external USB.

Ok. In that case you'll lose nothing if you remove "rpcbind" and
"nfs-common" packages.


> > Of course, it's *very* simplistic set of rules (for example, someone
> > may consider accepting ssh connections from arbitrary hosts a bad idea),
> > but it should work.
> 
> And I thank you.

You're welcome.


> > Two things I'm unsure of are:
> >
> > 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office
> > network), but YMMV.
> 
> I have been running Debian for thirteen years, but I know absolutely
> nothing about avahi.  It must have been installed by default, or else,
> perhaps as a dependency of some other package.

It's CUPS, probably. CUPS *client* can use Avahi to discover CUPS
*servers* on a *network*. It's completely useless if you have your own
CUPS with you and only print to a locally attached printer.
It's also useless if you *know* which print-server you'll use today.


> > 2) Whatever thing you're listening for on tcp 9999 with inetd.
> 
> Ah!  9999 is the port used by the approx server.  Months ago I had to
> install Debian on a system in another location which had a substandard DSL
> connection.  And whenever I do a Debian netinst, I always use approx,
> "just in case".  So that is why I installed approx on the laptop.

Oh. Then it's definitely should be shielded with iptables. Unless, of
course, you plan to provide Debian packages to anyone on your LAN.

Reco


Reply to: