On Sat, Apr 19, 2014 at 9:36 AM, Chuck Anderson <[email protected]> wrote: > I was curious to see what services were open on the WAN to the CeroWrt > router itself. It looks like the following services are open and not > firewalled via iptables directly: > > 21 telnet > 22 ssh > 23 ftp > 873 rsync > 12865 netserver > > The only thing blocking access is the xinetd configuration: > > defaults > { > per_source = 16 > only_from = 192.168.0.0/16 172.16.0.0/12 > instances = 18 > max_load = 16 > }
> Is this a good idea, relying only on this default config to block > access to those services? Or should the iptables firewall default to > blocking everything and only poke holes where they are needed rather > than how it is now--only blocking a list of ports which doesn't > include the above ports? telnet and ftp are actually sensors that detect probe attempts and block off attempts to access any other services from the offending IP. I like the sensor capability, and wish it could trigger adding firewall rules as well. Rsync has no conf file by default, and ssh and netserver are limited by default to the common internal IP addresses. You can tighten these down further if you like. > _______________________________________________ > Cerowrt-devel mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/cerowrt-devel -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
