From: Peter J. <pe...@gm...> - 2002-09-30 22:57:54
|
Hi people, well thanks for all the replies, I know im being a little over the top, but security is security... the problem with the BT system is, its silent, they can dial in without anyone knowing, the only way to tell is if you go to pick up all of the lines, and your one short .. well there you go. maybe if you could see the system it would make a little more sense... ( I just cant believe BT are selling a celeron 900 PC with a few added extras for over 5K, linux VOIP thats what i need!!!! ) anyway. to save confusion . I think the best way is to change the password for now, and given time ill take a look at the Linux firewalls ( thanks Chris ) thank you everyone for all the information given, I can assure you it hasten fallen on deaf ears. ill update you all on how it goes over the next few weeks thanks again Pete -----Original Message----- From: ipc...@li... [mailto:ipc...@li...]On Behalf Of Chris Clancey Sent: 30 September 2002 09:54 To: ipc...@li... Subject: Re: [IPCop-user] port forwarding to a IP range rather than an IP ? Hello, I really think you are being too paranoid about this. I don't think there is any way for the engineer to get any sort of access to your network, apart from making your phones ring :) Forget using IPCop for what you want to do. Just install linux (normally) on a box, and set up a network bridge. Once you've done this (with 2 interfaces, one crossover to telephone box, and one to normal network), set up the firewall rules so only the telephone ports are allowed through the bridge. Deny all access to everything on the telephone box side, and allow the ports you need. This should sort out all your problems. But do be carefull about your toaster! It may attack at any time or try to burn your house down, make sure you treat it nice! Or you know your micky mouse alarm clock? You don't what to know what that thing can do! Chris ----- Original Message ----- From: "Marco van Beek" <mva...@su...> To: "Peter Joslin" <pe...@gm...>; "Andrew Ruef" <jab...@me...> Cc: "Ipcop-User" <ipc...@li...>; <va...@da...> Sent: Monday, September 30, 2002 7:27 AM Subject: Re: [IPCop-user] port forwarding to a IP range rather than an IP ? > If every one of your PC's has a modem in it, then every one of those PC's is > a potential target. The only way to stop an external person dialling in to > the PC is to make sure that it doesn't answer the phone. Since that defeats > what you are trying to do, you need to find out how vulnerable the CLID > system is to hacking. If the service that answers the phone doesn't give the > external caller access to anything useful, then the only problem is a > vulnerability in the CLID code. > > This may be a stupid question, but have you tried dialling in to a computer > and seeing what you get. No point in trying to fix something that A) might > not be broken or B) you can't do anything about. > > You might be better of making sure that you have some sort of personal > firewalling software on each PC as well as up to date anti-virus software. > > The IP-Cop box can only protect you from computer traffic, what you are > asking is like wanting it to stop a postman from delivering junkmail. > > Regards, > > Marco van Beek > Supporting Role Ltd. > > ----- Original Message ----- > From: "Peter Joslin" <pe...@gm...> > To: "Andrew Ruef" <jab...@me...> > Cc: "Ipcop-User" <ipc...@li...>; <va...@da...> > Sent: 30 September 2002 00:22 > Subject: RE: [IPCop-user] port forwarding to a IP range rather than an IP ? > > > > Hi Andrew, > > > > All im looking at doing is to stop a BT engineer dialing into the phone > > system and browsing the network neighbourhood, or looking for machines on > > the network. im not woried about un authorised use of these ports, they > are > > only going to be used in conjunction with the call messaging service, not > > file browsing. > > > > if every port other that the few select are blocked (in the 50000 range), > > you will be unable to browse the network. yes maybe if you were a hacker > you > > could use the open ports and get in some way. > > > > maybe im looking at this in the wrong way .. maybe i should only be > thinking > > of blocking the select ports Microsoft use for network browsing? > > > > Thanks again > > > > Pete > > > > > > > > > > -----Original Message----- > > From: Andrew Ruef [mailto:jab...@me...] > > Sent: 29 September 2002 23:43 > > To: 'Peter Joslin' > > Subject: RE: [IPCop-user] port forwarding to a IP range rather than an > IP > > ? > > > > > > How are you going to differentiate from an authorized caller > > from red and an unauthorized caller? > > > > > > > > The firewall can't. Forward the ports and you make yourself > > vulnerable to everyone and defeat the purpose of the firewall. > > > > > > > > Andrew Ruef > > > > > > > > -----Original Message----- > > From: Peter Joslin [mailto:pe...@gm...] > > Sent: Sunday, September 29, 2002 6:08 PM > > To: Andrew Ruef > > Cc: Ipcop-User > > Subject: RE: [IPCop-user] port forwarding to a IP range rather than an > IP > > ? > > > > > > > > Hi Andrew, > > > > > > > > That's what I did, and most of the system works fine. > > > > > > > > However, the connection isn't always going to be made from the green > side, > > take 2 examples > > > > > > > > ex1. Workstation 1 makes a call using a number from the Outlook address > > book, this connection is inisuated from the green side, thus allowing > > traffic to pass either way over the open tunnel. this side works fine. > > > > > > > > ex2. a call comes into the office, and the BT phone system needs to open > > up comms between itself and a workstation on the network (when we get a > call > > it uses the CLID to obtain the details of the caller,and call history with > > the company and displays them on workstation of the person that picks up > the > > call) > > > > > > > > As the connection is being opened from the RED the firewall stops this. > > and refuses the connection to be made to the green network. > > > > > > > > The only problem I have is, that this service runs on many workstations, > > so I cant just forward any incoming trafic from the phone system to one > PC, > > it has to be open for them all. > > > > > > > > hope this makes sense .. > > > > > > > > thanks for your help > > > > > > > > Regards > > > > > > > > Pete > > > > -----Original Message----- > > From: Andrew Ruef [mailto:jab...@me...] > > Sent: 29 September 2002 18:47 > > To: 'Peter Joslin' > > Subject: RE: [IPCop-user] port forwarding to a IP range rather than an > > IP ? > > > > Alright so only people inside the green network should be > > able to use your phone network, nothing from anywhere else? > > > > In that case just slap the firewall in place and don't > worry > > about any kind of port forwarding. > > > > > > > > Andrew Ruef > > > > > > > > -----Original Message----- > > From: Peter Joslin [mailto:pe...@gm...] > > Sent: Sunday, September 29, 2002 12:53 PM > > To: Andrew Ruef > > Cc: Ipcop-User > > Subject: RE: [IPCop-user] port forwarding to a IP range rather than an > > IP ? > > > > > > > > i want everyone on the green network to beable to use the phone system > > to its full extent, however i want the firewall inbetween the phone system > > and the LAN, to stop any BT engineer dialing into their phone system > > browsing any open shares on my network > > > > > > > > sorry maybe i didnt explain myself :) > > > > > > > > Thanks > > > > > > > > pete > > > > -----Original Message----- > > From: Andrew Ruef [mailto:jab...@me...] > > Sent: 29 September 2002 17:34 > > To: 'Peter Joslin' > > Subject: RE: [IPCop-user] port forwarding to a IP range rather than > an > > IP ? > > > > What would be the benefit in such a situation? > > > > > > > > The people you don't want using the service can still > use > > it even with your firewall in place. > > > > > > > > Andrew Ruef > > > > > > > > -----Original Message----- > > From: ipc...@li... > > [mailto:ipc...@li...] On Behalf Of Peter Joslin > > Sent: Sunday, September 29, 2002 11:15 AM > > To: Ipcop-User > > Subject: [IPCop-user] port forwarding to a IP range rather than an > IP > > ? > > > > > > > > Hi Group, > > > > > > > > I have limited knowledge in IPCOP's, but so far I have managed to > get > > passed all of my problems. > > > > > > > > But, I seem to have hit a brick wall with this, maybe because I > don't > > really know what im ment to be doing. so im hoping someone out there can > > help. > > > > > > > > I have a phone system that talks to my workstations on the LAN, the > > services it provides are things like dialling numbers from Outlook address > > book etc. it uses LAN CTE as a communication protocol, a derivative of the > > MS TAPPI (I think). > > > > > > > > Anyway, I want to put a firewall between the phone system and the > rest > > of my LAN, this is because the phone system is running NT4 embedded, and > BT > > can dial into this any time day or night. maybe im just too paranoid, but > > that sounds like a major security issue, as I have never and never will > > trust BT :) > > > > > > > > This phone system uses DCOM and RPC to dynamically assign any port > > from 5000 upward for the software to run on, this was the first problem, > but > > after a little research, I managed to limit the ports DCOM uses for the > > software. I now have a list of 50 ports to add into the firewall. > > > > > > > > but how do I open these ports to every machine on the green side of > > the network ? Under the port forwarding section I can only add forwarding > to > > a single IP address. > > > > > > > > > > > > I would really appreciate anybody's view on this, as its proving as > a > > bit of a head ache. > > > > > > > > thanks very much > > > > > > > > Pete > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > IPCop-user mailing list > IPC...@li... > https://lists.sourceforge.net/lists/listinfo/ipcop-user ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ IPCop-user mailing list IPC...@li... https://lists.sourceforge.net/lists/listinfo/ipcop-user |