| LeRoy Cressy on Thu, 30 Jan 2003 10:21:05 -0500 |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From a security point of view you do not want all ports open from inside your your firewall to the outside. With masquerading everything is open and something might come back throught to hurt you. Thus you should only open up the ports that you really need to communicate on the Internet. for instance: ftp, http, mail, https, ssh, and etc are the ones that you could have open. So setting up specifis rules for communication across the Internet is in your best interest. What would happen if you set up masquerading and a worm came back through on a port that you had open because of masquerading? How many times has some malicious code attacked your system? Here are some lines from my log on my firewall: Jan 26 07:06:44 friendly kernel: Nimda virus IN=eth0 OUT=eth2 SRC=66.56.85.40 DST=192.168.10.1 LEN=112 TOS=0x00 PREC=0x00 TTL=111 ID=22077 DF PROTO=TCP SPT=2583 DPT=80 WINDOW=17520 RES=0x00 ACK PSH URGP=0 Jan 26 08:07:34 friendly kernel: Dropped Internet IN=eth0 OUT= MAC=00:40:05:3a:33:a5:00:02:3b:00:3d:c3:08:00 SRC=80.55.130.78 DST=66.92.109.218 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=55479 DF PROTO=TCP SPT=1355 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 Jan 26 08:16:29 friendly kernel: Dropped from eth0 IN=eth0 OUT= MAC=00:40:05:3a:33:a5:00:02:3b:00:3d:c3:08:00 SRC=66.212.80.73 DST=66.92.109.218 LEN=404 TOS=0x00 PREC=0x00 TTL=123 ID=7972 PROTO=UDP SPT=1501 DPT=1434 LEN=384 Jan 26 09:17:41 friendly kernel: Dropped Internet IN=eth0 OUT= MAC=00:40:05:3a:33:a5:00:02:3b:00:3d:c3:08:00 SRC=216.191.83.15 DST=66.92.109.218 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=35793 DF PROTO=TCP SPT=4744 DPT=1433 WINDOW=64240 RES=0x00 SYN URGP=0 I think that the port 1434 was the MS SQL worm this weekend. These are just an example of what a firewall can do for you. Also using a Linux or BSD firewall enables extensive logging that allows you to see what your firewall is doing for you and where the attack might be coming from. Also on the security side you do not want any services running on your firewall because if there is a problem with the service then your firewall and every other machine on your net might be compromised. Also, you should not allow ssh logins on the firewall from the Internet or from any publically accessable box. My own mother was attacked by a worm because she did not take security serious enough. Jeff Abrahamson wrote: All the discussion about firewalls aside, if a machine is running no services available to the outside world, how can an attacker break in? - -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ < gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQE+OUD1P+/m2oUBr+oRAg88AJ4pDDoiS04vWNpS41MRUPqZtst57ACfYvm0 JzIf46KSKOC9WHHqoX/7lOQ= =ELaj -----END PGP SIGNATURE----- _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|