[PLUG] iptables On Default Installs?
Alan
alan at clueserver.org
Wed May 5 12:46:02 UTC 2004
On Tue, 2004-05-04 at 22:38, Jason Van Cleve wrote:
> I was pondering "sasser" just now, briefly, as I emailed my old man,
> telling him 'Doze users running ZoneAlarm shouldn't be affected; though
> I'm not absolutely certain that's true.
>
> Anyway, assuming this sort of attack is blocked by a good firewall (yes,
> and not running unneeded services, etcetera), I'm wondering if distros
> like Fedora and Mandrake are installing with a default iptables
> configuration of any kind. (For, if I say Linux users are better off
> for security, it isn't because their ports are nicely sealed; to the
> contrary, it can be argued they are better off only because they are not
> running the poopular OS.) If I recommend the Linux on the desktop for
> this reason, people might expect it to solve the firewall problem, but
> does it?
Redhat and Mandrake both ship with a firewall. What gets blocked
depends on what security level you set the machine at and what services
you tell it to open up. They tend to be better in the most recent
versions. Most of the configuration utilities give you a list of
"standard" services and allow you to check them. If you need something
non-standard (like nfs) you have to look up the port numbers and enter
them. (Usually in the form of port:type. Example 443:tcp)
The hard part with Mandrake (and sometimes Redhat) is figuring out where
they put the iptables data if you need to modify it by hand.
> It could be a simple matter of adding a startup script or something,
> which is still better than installing ZoneAlarm on Winders. But with
> Gentoo I had to write my own iptables script, which is not an end user
> type thing.
Yeah. Not fun having done it too many times. There are a number of
firewall configuration scripts and programs at
http://www.freshmeat.net/. They are a good start. Also "Linux
Firewalls 2nd edition" is very useful for good information on writing
rulesets. Just make sure you get the errata.
--
We are living in the "interesting times" the fortune cookies warned us
about.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20040505/282541bc/attachment.asc>
More information about the PLUG
mailing list