Mailinglist Archive: opensuse-security (363 mails)

< Previous Next >
Re: [suse-security] have I been invaded?
  • From: Ian David Laws <ian@xxxxxxxxxxxxxxxx>
  • Date: Wed, 4 Jun 2003 11:41:26 +0200
  • Message-id: <200306041141.42773.ian@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 04 June 2003 01:16, Richard wrote:
> On Tue, 2003-06-03 at 17:07, Ian David Laws wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Tuesday 03 June 2003 18:58, Richard wrote:
> > > user-0ceicg1.ca
> >
> > I would be interested in, how you set up shorewall and I do believe Tom
> > would like to know as well since it is his firewall.
>
> My setup is not all that complicated. I'm using ver 1.4.2 right now. I
> begin with the basic two interface setup. I had to switch eth0 and eth1
> as eth1 is my connection to the cable modem. The Policy file is set to
> DROP all inputs to eth1. As I now use the Vonage VoIP system for my
> phone, I changed the rules to the following:
>
> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
> # PORT PORT(S) DEST
> #
>
> # Accept DNS connections from the firewall to the network
> #
> ACCEPT fw net tcp 53
> ACCEPT fw net udp 53
> ACCEPT loc fw udp 53
> ACCEPT fw loc udp 53
> ACCEPT loc fw tcp 53

Do you have your own DNS server and are send info of your DNS to the net then
okay. But if not you do not need the TCP port (transfer data) open it is
enough when UDP (query) is open
> #
> # Accept SSH connections from the local network for administration
> #
> ACCEPT loc fw tcp 22
> ACCEPT fw loc tcp 22
> ACCEPT loc fw tcp 20
> ACCEPT fw loc tcp 20
> ACCEPT loc fw tcp 21
> #ACCEPT fw loc tcp 21

Why use ftp when sftp or scp is just as good. (Putty for M$ machines)

> DNAT net loc:192.168.1.147 udp 5060
> DNAT net loc:192.168.1.147 udp 5061
> DNAT net loc:192.168.1.147 udp 10100:10500
> ACCEPT loc fw udp 123
> ACCEPT fw loc udp 123
> # changed net to loc and loc to net on udp port 123 to test the voip
> #ACCEPT loc net udp 5061
>
> ACCEPT loc fw udp 69
> ACCEPT fw loc udp 69
> ACCEPT fw loc udp 67
> ACCEPT fw loc udp 68
> ACCEPT loc fw udp 67
> ACCEPT loc fw udp 68

? Not sure why this, never used a dummy terminal or TFTP
>
> #ACCEPT loc net udp 10100:10500
> ACCEPT fw loc tcp 631
> ACCEPT loc fw tcp 631
> #
> # Allow Ping To And From Firewall
> #
> ACCEPT loc fw icmp 8
> ACCEPT net fw icmp 8
> ACCEPT fw loc icmp 8
> ACCEPT fw net icmp 8
> #DROP net fw icmp 8

Why allow ping onto your firewall from the Internet??

> #
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
<snip>
looking good.

Ian

- --
A child of five would understand this.
Send someone to fetch a child of five.
Groucho Marx

- ----------------------------------------------------
This mail has been scanned for virus by
AntiVir for UNIX
Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH.
PGP ID: 589F8449
Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+3b7WKiWi8VifhEkRAnwRAJ9AbKuEEVALWdpaCPV1UYB9/AM5GACfT+yD
uY66Y/HW+hHqB0+o9ND2BJg=
=mAUQ
-----END PGP SIGNATURE-----


< Previous Next >
Follow Ups