[PLUG] Firewall Suggestions?

AthlonRob athlonrobnf at cs.com
Fri Jun 21 21:32:23 UTC 2002


Thanks Sandy  :-)

I'm actually using inetd... but I have set up some very basic fules with
hosts.allow and hosts.deny.  I could be missing something totally here...
but I don't think tcpwrappers will keep users logged on via VNC on the
internal network from opening up servers which are open to the external
network (the Internet)... will they?

The basic iptables rules I set up from the IPMasq FAQ, in addition to my
tcpwrappers setup should keep inetd-started servers well behaved... but my
concern is what those logged on via VNC might accidentally do.  My Linux
networking understanding isn't that great... but I seem to recall users are
able to open up and listen to high port numbers (over 1024, was it?).  I
want to disable that, except specific ports I say are ok... for instance, I
want to allow a friend to open a tightvnc connection after he logs in with
SSH.

Thanks for the input and directions... I'm off to do more reading... getting
Squid-Cache and SquidGuard up and running at the time.  :-)

Rob


----- Original Message -----
From: "Sandy Herring" <sandy at herring.org>
To: <plug at lists.pdxlinux.org>
Sent: Friday, June 21, 2002 2:01 PM
Subject: Re: [PLUG] Firewall Suggestions?

On Fri, 21 Jun 2002, AthlonRob wrote:
> Hi-
>
> I'm trying to set up a firewall. [...]
>
> I don't want to mess with connections originating from inside the LAN...
> but I don't want anybody to be able to set up a LISTENING service which
> people could access from the Internet... unless I, root, say they can.
>
> Any suggestions as to an iptables-based firewall configuration program or
> script or something?  :-)

You may have a shorter learning curve with TCP Wrappers than with iptables
or ipchains. Just edit /etc/hosts.allow and /etc/hosts.deny and restart
xinetd. See `man 5 hosts_access' and `man host_options'. You can easily
allow outbound traffic and limit inbound connections.

A good firewall FAQ can be found at: http://www.interhack.net/pubs/fwfaq/

hth,
Sandy
--
Sandy Herring, RHCE                        o              sandy at herring.org
Peck of Pickled Pisces               __  o               http://herring.org/
UNIX or Web authoring questions?  |\/ o\  o  http://herring.org/finger.html
=>http://herring.org/techie.html  |/\__/     http://herring.org/pub-key.asc
*sh, Perl, C, VBA, PICK Assembler, Data/Basic, PROC & profanity spoken here.






More information about the PLUG mailing list