[220] in linux-security and linux-alert archive
Re: IP firewalling and security
daemon@ATHENA.MIT.EDU (Panzer Boy)
Mon Apr 24 18:02:41 1995
To: linux-security@tarsier.cv.nrao.edu
From: panzer@dhp.com (Panzer Boy)
Date: 21 Apr 1995 12:07:17 -0400
Thomas Koenig (Thomas.Koenig@ciw.uni-karlsruhe.de) wrote:
: IP firewalling for a single machine, methinks, can be used to enhance
: security of such services such as X or NFS.
I've added a /etc/rc.d/rc.ipfw startup script, I have it run before
rc.inet1 and rc.inet2. It's pretty simple and looks much like this:
IPFW=/sbin/ipfw
#
# Block Access to portmapper from IP, before checked by tcpd
${IPFW} a b deny udp from 0.0.0.0/0 to 199.234.136.0/24 111
${IPFW} a b deny tcp from 0.0.0.0/0 to 199.234.136.0/24 111
${IPFW} a b accept udp from 199.234.136.0/24 to 199.234.136.0/24 111
${IPFW} a b accept tcp from 199.234.136.0/24 to 199.234.136.0/24 111
#
# Block NFS traffic from none local ip numbers
${IPFW} a b deny udp from 0.0.0.0/0 to 199.234.136.0/24 2049
${IPFW} a b deny tcp from 0.0.0.0/0 to 199.234.136.0/24 2049
${IPFW} a b accept udp from 199.234.136.0/24 to 199.234.136.0/24 2049
${IPFW} a b accept tcp from 199.234.136.0/24 to 199.234.136.0/24 2049
#
And so on, for the syslog port, for the printer port, for the samba port,
and also for X11 port. I block TCP along with UDP because of this:
> /usr/sbin/rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 2 tcp 2049 nfs
If it's going to advertise on TCP, maybe you should block TCP.... :)
-Matt (panzer@dhp.com) DI-1-9026
"That which can never be enforced should not be prohibited."
--
-Matt (panzer@dhp.com) DI-1-9026
"That which can never be enforced should not be prohibited."
