Yup, FWIW I actually run IMAP on my firewall box, however I've told
ipchains not to allow any external connections on that port. So Imap/pop
are usuable inside the house, but nobody on the outside can get to them.
Of course the next step is to run a log checker then you get to see all
the people trying to connect on various ports (IMAP being a good one).
--rdp
P.S. This new reply to thing really sucks.
On Tue, 21 Mar 2000, Karl J. Runge wrote:
>
> On Tue, 21 Mar 2000, Rich Payne <[EMAIL PROTECTED]> wrote:
> > Yes, Paul raises a good point here that I should have touched upon. Do not
> > run anything on that system that it doesn't need, this includes:
> >
> > Any of the r programs (rsh, rexec, etc....) (edit your /etc/ietd.conf)
> > Anything to do with NFS, NIS
> > Telnet, use ssh instead
> > Don't run anon-ftp unless you really need it
> > X
> > imap,pop, even sendmail if you don't need it
> > DHCP/BOOTP
> > SWAT (Samba config), LinuxConf
> > talk etc.....
>
> Yes, it is good to not run this type of stuff on the firewall.
>
> Another way to approach thinking about this (perhaps more relavent to a
> simple home LAN we're are talking about than for a company) is to set
> up the firewall block any access to these sorts of services so that there
> would not be a problem even if they were *accidentally* running.
>
> By this a mean, start from a very tight ship:
>
> - Block *ALL* UDP traffic to/from the internet, except for DNS to a small
> number of known servers (e.g. your ISP and/or what is in
> /etc/resolv.conf) If your firewall box gets its IP address from your ISP
> (e.g. mediaone), you'd also need to let in UDP traffic for
> DHCP/BOOTP exchanges with your ISP.
>
> - Block *ALL* incoming TCP connections from the internet, except for
> the services you want to provide. This might be, e.g. 1) nothing,
> 2) incoming ssh only, 3) sendmail/webserver...
>
> - There are probably a just a few ICMP's you'd want to accept (can't remember
> just now which ones are OK)
>
> I'm not advocating being lazy about what one runs on the firewall box,
> but the above provides a great first defense. And for a Home system one
> can get away with a tight setup since the users tend to be more
> reasonable than at work ;-)
>
> Karl Runge
>
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
>
Rich Payne
[EMAIL PROTECTED] www.alphalinux.org
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
