Martin,
frohe weihnachten uebrigens!
Danke, gleichfalls!
it uses port 4000, so yes, i could disable all ports above 1024
It's not just that you could, you have to! But take care to the ftp problem. You have to find a solution for that.
, but let me ask you another thing about this ftp thingy... i think i knew the difference between active and passive and that you basically want to stick to passive whenever possible just so that port 20 (which is far more insecure than anything above 1024) can remain closed.
Aehm...why is port 20 as ftp-data port more insecure than ftp-data port on e.g. 40348? Isn't this just security by obscurity?
but when someone inside my network contacts an ftp server out there, then this server talks back to them on a port >= 1024, so on the external->internal input chain, i need to accept such connects.
The difference between active and passive ftp are the following: (very generally) active: ftp server tells client which port to use for ftp data connection passive: ftp server asks client which port to use for ftp data connection take a look again at what I sent you the days before.
and i really can't see how squid would solve this.
The joke lies in iso/osi model. Squid is a proxy and runs on layer 7 (application layer firewall). What you have is a network level firewall. Squid replaces the forward chain and this is your gain. Take a look at my ipchains script I sent you today. Try to make a drawing of it. Then you will see how I designed it.
but anyhow, even for things like ssh, since ipchains is not a context firewall,
I'm sorry, what is a context firewall?
i have to either say allow all connections to ports 1024+, or allow everything from port 22,
No, you don't have to. Find out what ports above 1024 are used by your client to access ssh server on your firewall box. See how I did it in my script.
for int eth and ext eth as well as output rule for int and ext eth.
yes, i do understand this quite well. nevertheless, ports 1024+ are then still needed.
Yes, but only for input and output chain. Not for forward chain. You can completely close it. Traffic for www, ftp and ssl aren't routed anymore. They are handled by the proxy (as already said above: layer 7). My goal is to set up a proxy for all services (also for smtp and pop). Then I could shut down routing. My firewall would be God damn very secure.
I read it :-) But I took a look at it. As much as I remember finger port is open there. Why? You don't allow people to ping you but you allow people to finger you? Where is the security here?
if they finger me, they know the ip anyway. they could use ping to discover the ip...
So why don't you shut down finger if you know that?
irc. that needs auth. Thanx, didn't know that. I don't use irc.
no prob... it's dumb and it annoys me, but that's the way it is.
Hmm...never tried it. I think it's waste of time.
but i haven't worked with windoze so long! :) I don't wear such nice medals. I myself am nothing.
nice medals? my other certs are nice, the MCSE is a joke! i regret it, it's dirt on my business card!
Being MCSE is being a more qualified end-user supporter in a company. Bah! I hate such work. People are ignorants. But since I'm paid with CHF 150/h I do it. Sometimes it's easy made money. As already Caligula said: Money doesn't smell, and I need it to finance my studies. Philipp