Hello again, well, I have had good feedback from SUSE and other users of the Japanese language server, Canna. As far as security at a software level is concerened, I think it is secure. However, it still shows as an open port 5680 when tested with nmap. I have been told that while the software settings are secure, if I want to make it invisible to nmap, I would need kernel level firewalling. I have Firewall2 set up on my dialup ppp box. Can anyone tell me what settings I need to change in YaST to enable firewalling on port 5680 and make it invisible to the outside? I thought that blocking high ports would do it, but it still shows up on nmap. thanks very much This is more a learning process than a real world security threat, but I appreciate your help all the same. cheers Joss
Hi!
well, I have had good feedback from SUSE and other users of the Japanese language server, Canna. As far as security at a software level is concerened, I think it is secure. However, it still shows as an open port 5680 when tested with nmap. I have been told that while the software settings are secure, if I want to make it invisible to nmap, I would need kernel level firewalling.
What about using ipchains directly for that job? (untested) ipchains -A input -s 127.0.0.1 -d 127.0.0.1 5680 -p tcp -i lo -j ACCEPT ipchains -A input -d 127.0.0.1 5680 -p tcp -j DENY ipchains -A input -d xxx.xxx.xxx.xxx 5680 -p tcp -j DENY (Replace xxx.xxx.xxx.xxx with your ethernet-ip-address) These commands deny all tcp-access to your local port 5680, if not from your localhost. -- MfG, Chr. Erpelding ce-data Datentechnik
On Wed, May 23, 2001 at 10:01:57AM +0200, Christian Erpelding wrote:
Hi!
well, I have had good feedback from SUSE and other users of the Japanese language server, Canna. As far as security at a software level is concerened, I think it is secure. However, it still shows as an open port 5680 when tested with nmap. I have been told that while the software settings are secure, if I want to make it invisible to nmap, I would need kernel level firewalling.
What about using ipchains directly for that job? (untested)
ipchains -A input -s 127.0.0.1 -d 127.0.0.1 5680 -p tcp -i lo -j ACCEPT ipchains -A input -d 127.0.0.1 5680 -p tcp -j DENY ipchains -A input -d xxx.xxx.xxx.xxx 5680 -p tcp -j DENY
(Replace xxx.xxx.xxx.xxx with your ethernet-ip-address)
These commands deny all tcp-access to your local port 5680, if not from your localhost.
Thank you. Unfortunately in this case, I use the 2.4.2 kernel with iptables so ipchain commands don't work for me (the modules don't load). I've looked through man iptables and an online How-To and it appears that the above commands should work for iptables, too. But they don't. I get the error: Bad argument `5680' Port 5680 is in my /etc/services Could someone who knows more about iptables than I do suggest the right commands? As Christian said, i want to deny all tcp-access to my local port 5680/canna except from localhost. I do not use ethernet. Just ppp0. thank you joss -- http://www.josswinn.org
participants (2)
-
Christian Erpelding -
Joss Winn