I don't know precisely what went wrong with your situation, though offhand I'd
guess either (a) the cable company's blocks fell down and someone jumped in,
or else (b) you had a daemon running on a higher port, which someone was able
to use to break in, after which they were able to reconfigure your system
(e.g. remapping ports).
But I'd make a couple of recommendations for adjusting your setup.
First off, if it were my box I'd switch the two network interfaces, use the
builtin 10Mbps ethernet for the in-house network and the PCMCIA ethernet for
the cable modem. PCMCIA is only 4Mbps, so you want it on the slower net.
Then I'd configure it like a serious firewall. I'd disable all daemons on the
firewall except for ssh, configured so only I could get (using RSA
authentication only), then adjust the ipfw filtering so it's only visible from
the inside net. Then add select proxies for those additional protocols I
wanted to run. For a home system, I'd run Postfix for email forwarding, and I
guess I'd run Squid for a cacheing http proxy, configured with ipfw so it's
only accessible from the inside. I'd probably rig things so there was no DNS
visible inside the home net; if any machines there required it I'd set up a
private root. If you use non-transparent proxies (work great for email and
http, can be made to work useably for other protocols) then you don't need
internet nameservice visible inside your firewall. Let the firewall run a
cacheing nameserver for performance, run the latest version of bind-8.
If I needed any more services I'd add them carefully, using proxies from fwtk
and reinforcing the config with packet filtering rules. If you want to offer
any services visible from the internet, they need to either offer public info
anonymously (I'd probably use Jef Poskanzer thttpd[1]) or else use securable
protocols suitable for the internet security situation --- perhaps an SSL web
server, or carefully configured tightly restricted ssh tunnels. It's easy to
make a file downloader based on ssh; the authorized_keys file can specify a
command to run instead of a shell for incoming connections authorized on a
given key.
-Bennett
[1] <URL:http://www.acme.com/software/thttpd/>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
