Mailinglist Archive: opensuse-factory (808 mails)
| < Previous | Next > |
Re: [opensuse-factory] Integration of firewalld?
- From: Rob Davies <rob.opensuse.linux@xxxxxxxxx>
- Date: Wed, 3 Aug 2011 11:19:16 +0100
- Message-id: <CAKeeO4ehc6Zva-eu78Y6KyERfc8bz2EGs6r+DN53FuJukMLwBw@mail.gmail.com>
On 3 August 2011 08:31, Johannes Meixner <jsmeix@xxxxxxx> wrote:
Actually I arranged to explicitly enable host IP addresses requiring
access, detecting "unauthorised" accesses.
Furthermore I took advantage of the subnetting. Resigning oneself to
"being doomed" is not a practical option, it certainly won't enhance
your reputation with the managers who allocate the department
budgets..
You can for instance arrange for a peer's DNS or NTP server UDP
packets to pass, but generally block UDP on that interface as
illegitimate.
There is a general problem with idea of "trusted", it is far too black
& white when reality hits.
BTW Someone mentioned ssh, sshd can listen on alternative ports to
22, that seems actually a wise step from the ssh port probing I've
seen.
Rob
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
On Aug 2 18:13 Rob Davies wrote (excerpt):
One incident that comes from personal experience, was in a "trusted"
company network.
Basically I got port scanned from the Internet Gateway host
If you have the ports open in the firewall for the services
which you use in your internal network, the firewall would not
help you against a port scan or against any kind of attack
regarding the services which you use in your internal network.
If you use services in your internal network, you cannot protect
them with firewalls inside your internal network.
You can only protect your whole trusted network with a firewall
at the borderline of your trusted network.
If the protection at the borderline fails you are basically doomed.
Actually I arranged to explicitly enable host IP addresses requiring
access, detecting "unauthorised" accesses.
Furthermore I took advantage of the subnetting. Resigning oneself to
"being doomed" is not a practical option, it certainly won't enhance
your reputation with the managers who allocate the department
budgets..
You can for instance arrange for a peer's DNS or NTP server UDP
packets to pass, but generally block UDP on that interface as
illegitimate.
There is a general problem with idea of "trusted", it is far too black
& white when reality hits.
BTW Someone mentioned ssh, sshd can listen on alternative ports to
22, that seems actually a wise step from the ssh port probing I've
seen.
Rob
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |