Re: [Bastille-linux-discuss] firewall

[Peter W <pe...@us...>]

At 4:12pm Nov 22, 2000, Kelina wrote:

> I'm still learning the basics of ipchains here, but am i opening large
> holes into my firewall, or large holes out of my firewall when i allow a
> computer behind the server to connect to certain portranges. Is the latter
> dangerous, if so as dangerous as the first?

The danger is you need to allow outside boxes to send UDP back to your
system. This is already the case for your DNS servers, but to abuse that,
an attacker has to spoof packets from one of three addresses (you did set
DNS_SERVERS to "", right?), and from low ports. Raises the bar as much as
we can. For things like games, especially if you can't limit the addresses
for the game servers, and you do the sorts of things I've been talking
about, you're allowing remote systems to send UDP to high ports on your
system. Just like BackOrifice's control works.

> That said is it possible to forward certain port(ranges) only to certain
> computers, i.e. open up a hole to my windows box (192.168.0.137) but

I had to re-read that. Port 137? No, dot-137. ;-)

> leaving it closed for the server/gateway (192.168.0.1). If that's not
> possible, can i just forward those ports with ipfwadm? to my windows box
> thereby bypassing the entire server/gateway.

Hmm, good idea. It looks like ipmasqadm's autofw might fit the bill.

Any takers?

-Peter