LeRoy Cressy on Fri, 7 Feb 2003 10:02:08 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables and NAT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mike,

What you are saying is very true, but for some viruses that never go away and keep hitting your box like the Nimda virus which consistantly hits my system from all over the place. Thus I drop those packets before they get to the mail server.

I also drop all unauthorized ssh attempts. It seems that someone in Japan keeps trying to login and port scan my system. Also all telnet attempts are dropped no matter where they come from.

Also the original question was concerning port forwarding and masquerading. I went a little over board in my response to Scott's question.

Michael Leone wrote:
LeRoy Cressy said:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ziegler, Scott wrote:

I am trying to setup a Linux workstation (Slackware 8 with 2.4.18
kernel) to tie a local network (192.168.x.x) of XP machines to our
corporate network. The Linux machine has a hard coded IP address and
it works on the network as far as telnet, ssh, browsing, etc. We need
to have network connectivity from the XP (for all of those M$ updates)
machines through the Linux machine.


How much do you want to protect your M$ boxes since they are the most vulnerable to attack. If you really are concerned about security then you might want to patch the kernel source with the IP tables source. For instance the string match can prevent email that has known viruses from getting to your windows boxes.


Definitely not the best way to protect email. Especially for new viruses,
and things that don't match strings easily, or have many possible matches.

Run a virus scanner - there are many for Linux, some free - from your
email server (investigate amavisd-new; great program for calling out virus
and spam scanners from an email server). While you're at it, tag the SPAM,
too, so your users can easily make rules to route it to a holding mailbox
(never just dump tagged SPAM; it could be a mis-tag, and then you've lost
real email. Let the users decide for themselves)



- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <


gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+Q8niP+/m2oUBr+oRAgAVAJ9ccaVwxYPso+q6KcQ57097epuijgCfW8eF
Su4Je2oFZyNjfIqWzgiEeCw=
=lnkp
-----END PGP SIGNATURE-----

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug