Re: [SLUG] Question about firewalls and ports.

From: Derek Glidden (dglidden@illusionary.com)
Date: Wed Apr 24 2002 - 11:02:20 EDT

Next message: Syd Alsobrook: "Re: [SLUG] Explorer Only? (was: Final notice about Bradenton"
Previous message: Patrick \(at work\): "Re: [SLUG] Explorer Only? (was: Final notice about Bradenton gathering tonight)"
In reply to: Paul M Foster: "Re: [SLUG] Question about firewalls and ports."
Next in thread: Chuck Hast: "Re: [SLUG] Question about firewalls and ports."
Reply: Chuck Hast: "Re: [SLUG] Question about firewalls and ports."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

A reminder to everyone that my presentation on Linux-based firewalls is
available on the web:

http://www.illusionary.com/~dglidden/linux-fw/

It's sort of a "dummy's guide to making a linux box into a firewall" to
show you basic iptables commands and, more importantly, covers the basic
rules of firewall design and security in general:

* Deny by default

* Trust no one

* Complexity is your enemy

* Security is a process, not a product

On Tue, 2002-04-23 at 18:45, Paul M Foster wrote:
> On Tue, Apr 23, 2002 at 04:49:26PM -0700, William Reed Coulter wrote:
>
> > That is great but how do I block them from being used? I know that the
> > firewall can be setup to block stuff but do I have so specify all the ports
> > or just the ones that I want to go in and out?
> >
>
> If you're setting up firewall rules, they work in sequence. You can set
> up rules that accept traffic on one or more ports first, and then later
> on have rules that block everything else. The "everything else" can be
> as simple as "drop everything that comes in to this IP address, don't
> care what port it is." As your firewall looks at the traffic, it checks
> each rule in turn to see if the traffic fits that rule. If it hits the
> "accept" rules first (and satisfies them), it gets accepted. If it hits
> those rules but doesn't satisfy them (as in, it's on a port you didn't
> specify as accepting), it falls through to the "kill the rest" rules.
>
> So no, you don't have to specify everything. Just say, "accept this,
> this and this", and then "throw away the rest".
>
> Paul

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval 
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
    | extract_mpeg2 | mpeg2dec - 
         http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
http://www.eff.org/                   http://www.anti-dmca.org/

Next message: Syd Alsobrook: "Re: [SLUG] Explorer Only? (was: Final notice about Bradenton"
Previous message: Patrick \(at work\): "Re: [SLUG] Explorer Only? (was: Final notice about Bradenton gathering tonight)"
In reply to: Paul M Foster: "Re: [SLUG] Question about firewalls and ports."
Next in thread: Chuck Hast: "Re: [SLUG] Question about firewalls and ports."
Reply: Chuck Hast: "Re: [SLUG] Question about firewalls and ports."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:32:47 EDT