From: Martin Feeney (martin at domain tuatha.org)
Date: Fri 28 Jul 2000 - 16:59:00 IST
On 28 Jul 00, at 15:39, kevin lyda wrote:
> i was bored last night and installed it. my "firewall" at home
> usually has the following running:
>
> mysql - listening on 0.0.0.0:3306
> nfs - /home,/u1,/u2 exported *(rw), and /mnt/cdrom *(ro)
> lp, tftp, rlogin, sendmail, rwalld, etc...
>
> I'M A LAZY BASTARD OK?!
>
> this has been true for over a year and i'm dialed in a fair bit.
> sometimes i download security updates.
>
> so now portsentry is installed. /etc/exports limits to 192.168.5.0/24
> what else? is there a quick ipchains rule to close out anything except
> ssh connecting on ppp0? (ok ephemeral ports, and a port for gnutella
> - 6346)
## default to DENY
#/sbin/ipchains -P input DENY
## allow ssh on ppp0
#/sbin/ipchains -A input -j ACCEPT -i ppp0 -d <ip of ppp0>/32 22 -p tcp
## allow lo to talk to itself
#/sbin/ipchains -A input -j ACCEPT -i lo
## allow internal machines (and eth0) to talk to you
#/sbin/ipchains -A input -j ACCEPT -i eth0 -s <internal ip network/netmask>
## deny and log everything else
#/sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
## block outgoing SMB
#/sbin/ipchains -A input -j DENY -d 0/0 137 -s <internalnetwork/mask> -p
udp -l
on top of that I'd set hosts.deny to ALL:PARANOID and try to get mysql to
only listen on the address(es) of eth*. Also I'd remove all trace of tftp
and exorcise my machine afterward unless there is a _REALLY_ desperate
need for it. I'd also kill all rsh/rlogin/etc. servers.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:07:01 GMT