ein schweizer, jetzt sehe ich es erst. but nevertheless, i'll still to english for i believe it's easiest when talking computers. but you are right, i am german and so i don't have a problem with that language. frohe weihnachten uebrigens! also sprach Philipp Snizek (on Mon, 25 Dec 2000 08:47:03PM +0100):
You should do a tcpdump or use iptraf to find out what ports icq uses. The rest you know yourself. BTW: ICQ is AFAIK a serious security hole. Maybe u already heard/read about the various icq hacks.
it uses port 4000, so yes, i could disable all ports above 1024, but let me ask you another thing about this ftp thingy... i think i knew the difference between active and passive and that you basically want to stick to passive whenever possible just so that port 20 (which is far more insecure than anything above 1024) can remain closed. but when someone inside my network contacts an ftp server out there, then this server talks back to them on a port >= 1024, so on the external->internal input chain, i need to accept such connects. and i really can't see how squid would solve this. but anyhow, even for things like ssh, since ipchains is not a context firewall, i have to either say allow all connections to ports 1024+, or allow everything from port 22, and the latter is a horrible one if you know what i mean...
well, how does squid handle this and why would using squid (without transparency) allow me to close ports 1024 and up?
how squid handles this I can't tell you (I'm not a programmer). Why you can close ports 1024 up? Generally I can't say you can close them. You can only close them in the forward chain, because Squid as a proxy is a layer 7 (application layer) application and so it replaces the forward chain, the routing decision respectively. Take the drawing I sent you and replace the forward with squid. This is the answer to your question. You can completely deny forward rule for www, ftp and ssl. All you have to define is input rule for int eth and ext eth as well as output rule for int and ext eth.
yes, i do understand this quite well. nevertheless, ports 1024+ are then still needed.
I read it :-) But I took a look at it. As much as I remember finger port is open there. Why? You don't allow people to ping you but you allow people to finger you? Where is the security here?
if they finger me, they know the ip anyway. they could use ping to discover the ip...
irc. that needs auth. Thanx, didn't know that. I don't use irc.
no prob... it's dumb and it annoys me, but that's the way it is.
true true. and i am an MCSE myself. Martin, shame on you! ;-)
but i haven't worked with windoze so long! :) I don't wear such nice medals. I myself am nothing.
nice medals? my other certs are nice, the MCSE is a joke! i regret it, it's dirt on my business card!
Let me see what I can do. Maybe I'll learn some coding of you. Since a long time I want to reprogram my ipchains because it seems to be a mess to myself. Until now I only worked with the three ipchains defined rules (input output forward) and never defined own rules. So it will be interesting for myself. But let me do it tomorrow, ok?
oh sure. i appreciate your time. i'll look over yours too if you wish.
Have you ever tried to run ipchains on a linux bridge? Cool thing.....:-)
i.e. one linux computer, multiple eth interfaces, and a routing table to simulate a bridge? that's not really layer 2, is it? what else is a linux bridge? martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- "you raise the blade, you make the change you rearrange me till i'm sane. you lock the door, and throw away the key, there's someone in my head but it's not me." -- pink floyd, 1972