Re: [Bastille-linux-discuss] firewall
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Peter W <pe...@us...> - 2000-11-23 02:16:19
|
At 4:12pm Nov 22, 2000, Kelina wrote: > I'm still learning the basics of ipchains here, but am i opening large > holes into my firewall, or large holes out of my firewall when i allow a > computer behind the server to connect to certain portranges. Is the latter > dangerous, if so as dangerous as the first? The danger is you need to allow outside boxes to send UDP back to your system. This is already the case for your DNS servers, but to abuse that, an attacker has to spoof packets from one of three addresses (you did set DNS_SERVERS to "", right?), and from low ports. Raises the bar as much as we can. For things like games, especially if you can't limit the addresses for the game servers, and you do the sorts of things I've been talking about, you're allowing remote systems to send UDP to high ports on your system. Just like BackOrifice's control works. > That said is it possible to forward certain port(ranges) only to certain > computers, i.e. open up a hole to my windows box (192.168.0.137) but I had to re-read that. Port 137? No, dot-137. ;-) > leaving it closed for the server/gateway (192.168.0.1). If that's not > possible, can i just forward those ports with ipfwadm? to my windows box > thereby bypassing the entire server/gateway. Hmm, good idea. It looks like ipmasqadm's autofw might fit the bill. Any takers? -Peter |