Hi Rich,
On Tue, 21 Mar 2000, Rich Payne <[EMAIL PROTECTED]> wrote:
> Yup, FWIW I actually run IMAP on my firewall box, however I've told
> ipchains not to allow any external connections on that port. So Imap/pop
> are usuable inside the house, but nobody on the outside can get to them.
Yes, I do similar things (including rsh!).
I guess what I am advocating/emphasizing (not to you, but to people
considering setting up a home LAN + firewall) is to make sure the
*default* is to deny all incoming TCP connections.
More specifically, for an incoming packet on ANY port: if proto=TCP and SYN=1
then deny the packet. (except, possibly, for a handful of services you want
to provide to the internet, which are explicitly allowed in earlier rules)
Extra protection may be added to the sensitive ports (or even all < 1024)
for incoming packets with proto=TCP and SYN=0.
Just my $0.02.
Karl Runge
BTW, to define terms: the SYN bit in a tcp packet is set to 1 for the
first packet establishing the connection, and then is 0 for the rest of
the connection. I believe it is short for "synchronize" the bytes'
sequence counters.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
