On Wed, 8 Apr 2009 21:07:45 lynn wrote:
[...]
Phew. Thanks for taking all that time Rodney. Yes. The adsl router does have a firewall. It's a good idea if SuSEfirewall2 doesn't work. It has these options:
You're welcome. Actually, scanning log and seeing the problem took less time than writing the email. Before going too far it may be worth trying the recipe that Carlos mentioned in an earlier reply. I'd be interested to see if it does fix the problem (in other words, if I correctly interpreted what I saw in the wireshark capture file).
Enable DOS and Portscan Protection : SYN attack : FIN/URG/PSH attack : Ping Attack : Xmas Tree attack : TCP reset attack : Null scanning attack : Ping of Death attack : SYN/RST SYN/FIN attack :
Which would you suggest setting to 'yes' bearing in mind the my NAS runs a bittorrent client (ctorrent with dctcs).
I concur with Carlos. Set them all. If you enable UPnP then the bittorrent client will be able to automatically "punch" a hole in the firewall as required. That is what UPnP is for - to allow aware applications and firewalls to open and close access on an as-needed basis. In extreme cases it could be seen as a security risk - whether you use it or not is entirely up to you. I have used it on my Linksys router and it does work but the torrent client needs to be UPnP enabled. Your NAS box doco's should detail what config is needed if it is supported.
There's also NAT which I've no ports forwarded except ALG as follows(the d- link default I think):
PPTP : IPSec (VPN Passthrough) : RTSP (Online Video Streaming) : Windows/MSN Messenger : (automatically disabled if UPnP is enabled) FTP : H.323 (Video Conferencing) : SIP :
I would not have any NAT ports forwarded from the outside world unless absolutely necessary (i.e. either you or someone you trust needs to access your network from outside the firewall) and then only very selectively e.g. ssh (for remote admin), https (for webmail perhaps - I've used it for that in the past) and that's about it. You probably don't neet PPTP or IPSec unless you're running a VPN to another site. You don't need RTSP unless you're streaming media to others elsewhere on the net (and IMHO you'd probably be crazy to try that over a dsl connection), MSN Messenger (or its Linux equivalent) maybe if you use instant messaging, H.323 most likely not needed and SIP only if you use a VoIP service (e.g. Skype or another IP telephony service) from inside your LAN and want to receive incoming calls.
Isn't just NAT good enough for what I want to do? Listen to mp3's and avi's I have on my laptop? If no one can connect to me from the outside then I'm OK internally on the lan no?
You only need NAT if you want to connect to a box on your lan from outside the firewall (i.e. elsewhere on the internet). If you have no need to accept incoming connections from outside, turn it all OFF.
Cheers, L x
-- =================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ===================================================