Mailinglist Archive: opensuse-security (555 mails)
| < Previous | Next > |
Re: [suse-security] firewalling canna port 5680
- From: Joss Winn <joss@xxxxxxxxxxxx>
- Date: Wed, 23 May 2001 20:01:50 +0900
- Message-id: <20010523200150.A671@xxxxxxxxxxxx>
On Wed, May 23, 2001 at 10:01:57AM +0200, Christian Erpelding wrote:
> Hi!
>
> > well, I have had good feedback from SUSE and other users of the Japanese
> > language server, Canna. As far as security at a software level is
> > concerened, I think it is secure. However, it still shows as an open
> > port 5680 when tested with nmap. I have been told that while the
> > software settings are secure, if I want to make it invisible to nmap, I
> > would need kernel level firewalling.
>
> What about using ipchains directly for that job? (untested)
>
> ipchains -A input -s 127.0.0.1 -d 127.0.0.1 5680 -p tcp -i lo -j ACCEPT
> ipchains -A input -d 127.0.0.1 5680 -p tcp -j DENY
> ipchains -A input -d xxx.xxx.xxx.xxx 5680 -p tcp -j DENY
>
> (Replace xxx.xxx.xxx.xxx with your ethernet-ip-address)
>
> These commands deny all tcp-access to your local port 5680, if not from
> your localhost.
>
Thank you. Unfortunately in this case, I use the 2.4.2 kernel with
iptables so ipchain commands don't work for me (the modules don't
load). I've looked through
man iptables and an online How-To and it appears that the above
commands should work for iptables, too.
But they don't.
I get the error:
Bad argument `5680'
Port 5680 is in my /etc/services
Could someone who knows more about iptables than I do suggest the
right commands? As Christian said, i want to deny all tcp-access to
my local port 5680/canna except from localhost. I do not use
ethernet. Just ppp0.
thank you
joss
--
http://www.josswinn.org
> Hi!
>
> > well, I have had good feedback from SUSE and other users of the Japanese
> > language server, Canna. As far as security at a software level is
> > concerened, I think it is secure. However, it still shows as an open
> > port 5680 when tested with nmap. I have been told that while the
> > software settings are secure, if I want to make it invisible to nmap, I
> > would need kernel level firewalling.
>
> What about using ipchains directly for that job? (untested)
>
> ipchains -A input -s 127.0.0.1 -d 127.0.0.1 5680 -p tcp -i lo -j ACCEPT
> ipchains -A input -d 127.0.0.1 5680 -p tcp -j DENY
> ipchains -A input -d xxx.xxx.xxx.xxx 5680 -p tcp -j DENY
>
> (Replace xxx.xxx.xxx.xxx with your ethernet-ip-address)
>
> These commands deny all tcp-access to your local port 5680, if not from
> your localhost.
>
Thank you. Unfortunately in this case, I use the 2.4.2 kernel with
iptables so ipchain commands don't work for me (the modules don't
load). I've looked through
man iptables and an online How-To and it appears that the above
commands should work for iptables, too.
But they don't.
I get the error:
Bad argument `5680'
Port 5680 is in my /etc/services
Could someone who knows more about iptables than I do suggest the
right commands? As Christian said, i want to deny all tcp-access to
my local port 5680/canna except from localhost. I do not use
ethernet. Just ppp0.
thank you
joss
--
http://www.josswinn.org
| < Previous | Next > |