LeRoy Cressy on Fri, 19 Sep 2003 07:55:17 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] cable modem and MAC 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Setting up a firewall is a lot of fun, but to really use some of the neat options in iptables you should grab the iptables source along with the kernel source. I filter for some email viruses using the string match which is not in the standard kernel source.

This enables me to do something like:

iptables -A block -p tcp --dport http -m state --state \
	NEW,ESTABLISHED,RELATED -m string --string "default.ida" \
	-m limit --limit 1/hour  -j LOG --log-prefix " CodeRed virus "

iptables -A block -p tcp --dport http -m state --state \
	NEW,ESTABLISHED,RELATED -m string --string "default.ida" -j DROP

Also, if you have public access like a mail server or web server running, you should have a minimum of 3 ethernet cards in your firewall.
Internet eth0
DMZ eth1
Lan eth2

For the paranoid it should be virtually impossible to get from the DMZ network or the Internet to the Lan, but allow the Lan access to both the Internet and the DMZ. This makes it a little hard, but and impossible for remote administration / access.

Finally, I was reading an article sometime ago in SysAdmin about using kernel modules to break into the system. So I would not allow modules modules in the firewall or on the public access machines.



Art Clemons wrote: 
Paul:
 >Good!  Thanks to you and all.  Looks like my GNU/Linux PC will become
 >our new router/firewall/wireless access point.  Although I see routers
 >for $30 or $40 dollars, that is expensive for me at this time, and I
 >figure I can learn more by using iptables.

Since you are going to go this route, could you over the course of a few weeks detail what you're doing for a router. For example are you going to try something like Coyote Linux or are you just going to run a script on an already working box? I personally am intrigued by the concept of a one floppy setup system and have played with them but the NAT routers are fun. Of course tcpdumping the IP address was fun, and let me know that at least someone in my cable subnet was scanning ports.

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug



- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <

gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

For info on enigmail:    http://lrcressy.com/linux/mozilla.pdf
For info on gpg:         http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/auAfP+/m2oUBr+oRAg6GAJ9QfooKv84cK4UqaDbsbC7YAA88ogCeJorL
T1eGPRLReVp+Ebs9r7Pw0jQ=
=QyeN
-----END PGP SIGNATURE-----

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug