LeRoy Cressy on Thu, 30 Jan 2003 16:50:31 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] firewall risk 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your firewall should not listen for ANY ports! Your firewall should only forward certain packets to the appropriate box on the dmz network. I would not allow any ssh logins from the Internet on the firewall. It would be alright to allow ssh logins on a dmz network box.

Jeff Abrahamson wrote: 
On Thu, Jan 30, 2003 at 10:12:42AM -0500, LeRoy Cressy wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From a security point of view you do not want all ports open from inside your your firewall to the outside. With masquerading everything is open and something might come back throught to hurt you. Thus you should only open up the ports that you really need to communicate on the Internet. 


But isn't a port effectively not open if no one listens on it? So it
doesn't matter than my mail server (inside my firewall) is listening
for pop3, because the firewall only listens for ssh.

I could be slicker and refuse other connections, but does it matter
beyond possible DoS?



- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <

gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+OZq+P+/m2oUBr+oRAlG2AJ96IgkcLH+jfHgG/4iNM2308RAdGwCeP8/6
B7tJVg2QkWIVubTZDaPi48k=
=jkTB
-----END PGP SIGNATURE-----

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug