Re: [gentoo-user] OT 0.0.0.0 security query
Le Dimanche 28 Mai 2006 16:53, Dave S a écrit : Yep, same here. I was trying to lock down my router. By default it allows any outgoing packets and only allows incoming packets if they are related to the incoming packets. I was trying to lock down my outgoing packets so services such as Samba would not broadcast anything to the WAN. As such I defaulted outgoing to BLOCK and allowed only certain ports. However I then needed to allow ports between computers ie for Samba again. When I opened the port on the LAN between computers my router wanted at least one IP address for the WAN. I did not want to give it a real address so choose 0.0.0.0 I was really asking ... (a) Is it worthwhile setting up my router this way, or am I being paranoid :) I do not think it wise to setup your router that way. Here's a little of theory. I apologize if you're familiar with it, but it is necessary for latter development. When in a LAN, a packet will not reach the WAN unless you specify you want it to, that includes broadcasts. An element of an IP address is a number between 0 and 254. 255 is used only for broadcasting. Moreover, rsync and samba, and most daemons take as a paramater the address or address range they can accept connections from. An incoming connection from the WAN, could not connect to the daemon even if it wanted to. (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that is what i was looking for to trick my router to send nothing to the WAN An IP address is meaningful only in conjunction with a mask. 0.0.0.0 with mask 255.255.255.255 means broadcast to every single IP address that exists. Since the mask indicates between which boundaries the IP number can vary (in this case every IP address item can vary between 0 and 254). As a conclusion, this is definitely not what you want to do ! ;-) So, taking as a hypothesis that you trust everyone on your LAN, here's what you should do : - Et the policy for incomiong connections to BLOCK. - Unblock the services you actually need the net to access. Plus, in the config file of the daemon, specify it should listen to 0.0.0.0 - Allow traffic from your LAN to the WAN (again, if you trust everyone). And set up each daemon to only listen to 192.168.0.1/24 (which means only addresses that begin with 192.168.0). - Set up daemons to broadcast on 192.168.0.255 I hope this was clear, I have hardly slept last night ! -- Jonathan PS : No need to apologize for the delay, I know even gentooists have lives ;) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT 0.0.0.0 security query
On Monday 29 May 2006 11:14, Jonathan Chocron wrote: Le Dimanche 28 Mai 2006 16:53, Dave S a écrit : Yep, same here. I was trying to lock down my router. By default it allows any outgoing packets and only allows incoming packets if they are related to the incoming packets. I was trying to lock down my outgoing packets so services such as Samba would not broadcast anything to the WAN. As such I defaulted outgoing to BLOCK and allowed only certain ports. However I then needed to allow ports between computers ie for Samba again. When I opened the port on the LAN between computers my router wanted at least one IP address for the WAN. I did not want to give it a real address so choose 0.0.0.0 I was really asking ... (a) Is it worthwhile setting up my router this way, or am I being paranoid :) I do not think it wise to setup your router that way. Here's a little of theory. I apologize if you're familiar with it, but it is necessary for latter development. When in a LAN, a packet will not reach the WAN unless you specify you want it to, that includes broadcasts. An element of an IP address is a number between 0 and 254. 255 is used only for broadcasting. Moreover, rsync and samba, and most daemons take as a paramater the address or address range they can accept connections from. An incoming connection from the WAN, could not connect to the daemon even if it wanted to. With you so far :) (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that is what i was looking for to trick my router to send nothing to the WAN An IP address is meaningful only in conjunction with a mask. 0.0.0.0 with mask 255.255.255.255 means broadcast to every single IP address that exists. Since the mask indicates between which boundaries the IP number can vary (in this case every IP address item can vary between 0 and 254). As a conclusion, this is definitely not what you want to do ! ;-) Gulp :( So, taking as a hypothesis that you trust everyone on your LAN, here's what you should do : - Et the policy for incomiong connections to BLOCK. - Unblock the services you actually need the net to access. Plus, in the config file of the daemon, specify it should listen to 0.0.0.0 - Allow traffic from your LAN to the WAN (again, if you trust everyone). And set up each daemon to only listen to 192.168.0.1/24 (which means only addresses that begin with 192.168.0). - Set up daemons to broadcast on 192.168.0.255 I hope this was clear, I have hardly slept last night ! That helps a lot, thank you for taking the time to explain. I will have a google so I understand netmasks IPs a bit more :( -- Jonathan PS : No need to apologize for the delay, I know even gentooists have lives ;) Wish I was 247 Linux - have to pay the mortgage though ! Thanks once again Dave -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT 0.0.0.0 security query
On Saturday 27 May 2006 23:46, Jonathan Chocron wrote: Le Samedi 27 Mai 2006 11:40, Dave S a écrit : Hi all, This is a bit OT but I have a netgear router DG834 ADSL firewall router. I have restricted my incoming services with ... Enable Service Name Action LAN Server IP address WAN Users Log on bit torrent ALLOW always 192.168.0.5 Any Always Default Yes Any BLOCK always Any Any Never And tightened my outgoing services with ... Enable Service Name Action LAN Users WAN Servers Log on HTTP ALLOW always Any Any Always on HTTPS ALLOW always Any Any Always on POP ALLOW always Any Any Always on SMTP ALLOW always Any Any Always on NTP ALLOW always Any Any Always on FTP ALLOW always Any Any Always on rsync ALLOW always Any 0.0.0.0 Never on GM Port 389 ALLOW always 192.168.0.6 Any Always on GM Port 1503 ALLOW always 192.168.0.6 Any Always on GM Port 1731 ALLOW always 192.168.0.6 Any Always on GM 1024-65K ALLOW always 192.168.0.6 Any Always on H.323 ALLOW always 192.168.0.6 Any Always on Port 1023 ALLOW always Any Any Always on Samba ALLOW always Any 0.0.0.0 Always on samba2 ALLOW always Any 0.0.0.0 Always on samba3 ALLOW always Any 0.0.0.0 Always on Any(ALL) BLOCK always Any Any Always Default Yes Any ALLOW always Any Any Some services like rsync and samba I want to keep within my LAN but my DG834 insists I give it a least one IP address on the WAN that my service can be broadcast to. I selected 0.0.0.0 Can anyone advise, am I going about this the right way, any comment greatly appreciated :) Cheers Dave I am not the best net admin on earth, but it seems to me that 0.0.0.0 is definitely not a broadcast address. If you want to keep things in your lan, you should have something like 192.168.0.255 instead. Moreover, I do not quite understand what you are trying to do. I had approximately the same router (same brand anyway), and it did not block any lan-only services. Yep, same here. I was trying to lock down my router. By default it allows any outgoing packets and only allows incoming packets if they are related to the incoming packets. I was trying to lock down my outgoing packets so services such as Samba would not broadcast anything to the WAN. As such I defaulted outgoing to BLOCK and allowed only certain ports. However I then needed to allow ports between computers ie for Samba again. When I opened the port on the LAN between computers my router wanted at least one IP address for the WAN. I did not want to give it a real address so choose 0.0.0.0 I was really asking ... (a) Is it worthwhile setting up my router this way, or am I being paranoid :) (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that is what i was looking for to trick my router to send nothing to the WAN Cheers Dave PS Sorry for the delay, I am an on call engineer and have been away. What you're telling it is, for example, to block *outgoing* rsync. This should not in any case be blocking an rsync between two machines inside your LAN. I hope this helps, even if i am not quite sure I understand what you're trying to do. -- Jonathan Apologies for my poor explanation :) -- gentoo-user@gentoo.org mailing list
[gentoo-user] OT 0.0.0.0 security query
Hi all, This is a bit OT but I have a netgear router DG834 ADSL firewall router. I have restricted my incoming services with ... Enable Service Name Action LAN Server IP address WAN Users Log on bit torrent ALLOW always 192.168.0.5 Any Always Default Yes Any BLOCK always Any Any Never And tightened my outgoing services with ... Enable Service Name Action LAN Users WAN Servers Log on HTTP ALLOW always Any Any Always on HTTPS ALLOW always Any Any Always on POP ALLOW always Any Any Always on SMTP ALLOW always Any Any Always on NTP ALLOW always Any Any Always on FTP ALLOW always Any Any Always on rsync ALLOW always Any 0.0.0.0 Never on GM Port 389 ALLOW always 192.168.0.6 Any Always on GM Port 1503 ALLOW always 192.168.0.6 Any Always on GM Port 1731 ALLOW always 192.168.0.6 Any Always on GM 1024-65K ALLOW always 192.168.0.6 Any Always on H.323 ALLOW always 192.168.0.6 Any Always on Port 1023 ALLOW always Any Any Always on Samba ALLOW always Any 0.0.0.0 Always on samba2 ALLOW always Any 0.0.0.0 Always on samba3 ALLOW always Any 0.0.0.0 Always on Any(ALL) BLOCK always Any Any Always Default Yes Any ALLOW always Any Any Some services like rsync and samba I want to keep within my LAN but my DG834 insists I give it a least one IP address on the WAN that my service can be broadcast to. I selected 0.0.0.0 Can anyone advise, am I going about this the right way, any comment greatly appreciated :) Cheers Dave -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT 0.0.0.0 security query
Le Samedi 27 Mai 2006 11:40, Dave S a écrit : Hi all, This is a bit OT but I have a netgear router DG834 ADSL firewall router. I have restricted my incoming services with ... Enable Service Name Action LAN Server IP address WAN Users Log on bit torrent ALLOW always 192.168.0.5 Any Always Default Yes Any BLOCK always Any Any Never And tightened my outgoing services with ... Enable Service Name Action LAN Users WAN Servers Log on HTTP ALLOW always Any Any Always on HTTPS ALLOW always Any Any Always on POP ALLOW always Any Any Always on SMTP ALLOW always Any Any Always on NTP ALLOW always Any Any Always on FTP ALLOW always Any Any Always on rsync ALLOW always Any 0.0.0.0 Never on GM Port 389 ALLOW always 192.168.0.6 Any Always on GM Port 1503 ALLOW always 192.168.0.6 Any Always on GM Port 1731 ALLOW always 192.168.0.6 Any Always on GM 1024-65K ALLOW always 192.168.0.6 Any Always on H.323 ALLOW always 192.168.0.6 Any Always on Port 1023 ALLOW always Any Any Always on Samba ALLOW always Any 0.0.0.0 Always on samba2 ALLOW always Any 0.0.0.0 Always on samba3 ALLOW always Any 0.0.0.0 Always on Any(ALL) BLOCK always Any Any Always Default Yes Any ALLOW always Any Any Some services like rsync and samba I want to keep within my LAN but my DG834 insists I give it a least one IP address on the WAN that my service can be broadcast to. I selected 0.0.0.0 Can anyone advise, am I going about this the right way, any comment greatly appreciated :) Cheers Dave I am not the best net admin on earth, but it seems to me that 0.0.0.0 is definitely not a broadcast address. If you want to keep things in your lan, you should have something like 192.168.0.255 instead. Moreover, I do not quite understand what you are trying to do. I had approximately the same router (same brand anyway), and it did not block any lan-only services. What you're telling it is, for example, to block *outgoing* rsync. This should not in any case be blocking an rsync between two machines inside your LAN. I hope this helps, even if i am not quite sure I understand what you're trying to do. -- Jonathan -- gentoo-user@gentoo.org mailing list