On Thu, 11 Oct 2001 [EMAIL PROTECTED] wrote: > Hello Mike, hello List. > > > On Wed, Oct 10, 2001 at 11:37:36AM -0400, Mike Dresser wrote: > [...] > > I want to deny ports 23, 37,137,139, etc, from the Internet, but allow > > them from Y. > [...] > > What about configuring services to listen only on one _specific_ > interface/ip? (In your case Y) So you perhaps don't have to take care about > an confusing firewall setup... hiding services is not the way[tm] to make or > keep a network secure.
This has the slightly nasty side-effect of putting the IP address in many config files (and next time you want to change the internal IP address...). Also, consider this some sort of passimistic configuration: you can't be sure if you'll remember to configure correctly serveices X, Y, Z and W (and debian is far from being "secure by default". Who knows what an unexpected upgrade might do?). So in your ipchains configuration you make sure that (almost) no matter how badly those daemons are configured, they still can't be accessed from the internet. -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir
