On Fri, 31 Mar 2000, Craig White wrote:
> thinking that this discussion might be of interest to others and not wanting
> to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
> linux systems on the internet, I am lobbing up softballs for weak hitters to
> hit out of the park.
>
> 1 - if I create a chain ruleset
>
> default policy deny
> accept TCP/UDP port 25, 110, 80
> reject TCP/UDP ports 1:1024
You could specifically block incoming TCP connections above 1024 as well.
Also, the ipchains HOWTO suggests blocking one of the icmp types. Type 5,
I believe...
> does this adequately protect all but mail & www from things
> like BIND & FTP exploitation attacks?
>
> 2 - does it then make sense to use tcpd to protect the exposed services?
I think so. If your chains get screwed up you still have other mechanisms
to keep you safe. I don't like trusting only one mechanism, especially on
a firewall. I also comment out all services in /etc/inetd.conf as well as
disabling inetd just in case it gets turned on again.
ciao,
der.hans
--
# +++++++++++=================================+++++++++++ #
# der.hans@LuftHans.com www.excelco.com #
# http://home.pages.de/~lufthans/ #
# I've got a photographic memory, #
# but I'm lousy photographer. - der.hans #
# ===========+++++++++++++++++++++++++++++++++=========== #
(text/plain)