/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Audie Pierre <[EMAIL PROTECTED]> wrote:
>
> Unless you explicitly deny telnet access to your firewall machine, anybody
> could telnet to it. I believe that this can be accomplished like so:
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 23 -d
> $IPADDR $UNPRIVPORTS -j REJECT
The principal here is sound, but there are some items here that could
cause you trouble, if you're serious about firewalling.
The "! -y" option puzzles me. Why would you want to accept later
packets destined for port 23, if you don't want to accept the initial
packet? Are you trying to permit TCP hijacking?
Why do you only reject the connection if it comes from an unprivileged
port? Do you want to accept the connection if the hacker goes ahead and
uses a privileged source port on his machine?
I think a much better, restricted firewall for telnet traffic takes a
simpler form, like this:
ipchains -I input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 23 -j REJECT -l
That is, if it's TCP, from the external interface, on port 23, reject
it. Nothing else matters. Oh, and logging these is a good idea, too.
Also notice that I insert the rule at the top of the list, rather than
append at the bottom, lest some other rule accidentally allow the
traffic through. I think that specific-deny rules should be near the
top of the list, so that general rules can apply only to packets not
specifically denied.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
