Gone Paranoid: private IP to public IP!!

Juan Manuel Palacios yellowdog-general@lists.terrasoftsolutions.com
Sat Jul 6 01:21:00 2002 

	Thanks Ian, very interesting and educating. Your recommendations 
were adopted the minute they were received! Anywhere you know where I 
could look for detailed info about tpcwrappers?

	Regards,...


		Juan.

On Sunday, June 30, 2002, at 03:13  PM, Iain Stevenson wrote:

>
>
> --On Sunday, June 30, 2002 1:24 am -0400 Juan Manuel Palacios 
> <jmpalacios@mac.com> wrote:
>
>>>
>>> - go through /etc/xinetd.conf and disable anything you don't need
>>
>> 	That sounds easy enough, I'll get right to it. Disabling the 
>> services I
>> don't need ensures that the IP ports they bind to will be properly 
>> closed?
>>
>
> Generally, yes.  For any daemon that runs exclusively via xinetd this 
> will close the port.  Some daemons (eg cyrus imap, postfix, ssh) run 
> outside of xinetd - you need to use tcpwrappers or a firewall script to 
> deal with them.
>
>>> - make sure tcpwrappers is correctly installed and that
>>> /etc/hosts.allow and /etc/hosts.deny are configured correctly
>>
>> 	My knowledge about tcpwrappers is completely null. I don't know 
>> what it
>> is (service, binary, protocol... ?), where in the filesystem it is or
>> even what it is for. Any words that might enlighten me on this one
>> please... ?
>
> tcpwappers is a venerable piece of code that sits between many daemons 
> and the external network.  Most daemons are built with tcpwrappers 
> support so that they can take advantage of the protection that it gives.
>
> I once had a problem with an old copy of tcpwrappers so grab the latest 
> YDL rpm and install it.
>
> Make sure /etc/hosts.deny contains this:
>
>  ALL: ALL
>
> This basically denies all TCP/IP accesses that aren't explicitly 
> enabled by /etc/hosts.allow
>
> Check if /etc/hosts.allow contains this:
>
>  ALL: LOCAL
>
> That allows access to all the TCP/IP services running on the Linux 
> system from local machines only.  Read man hosts.allow for some more 
> examples.
>
>>> - install gShield or some other iptables based firewall script - this
>>> can block high port access amongst other things
>>
>> 	gShield works over iptables, with its commands and syntax? I 
>> really want
>> to give iptables a good shot.
>>
>
> Yes - gShield is just a clever script for setting up iptables rules - 
> you don't really want to get into working iptables out for yourself.  
> Just grab the script from here:
>
>  ftp://muse.linuxmafia.org/pub/gShield/v2/gShield-2.8.tgz
>
> Assuming you downloaded the script to /home/somewhere, install the 
> script (as root):
>
>  cd /etc
>  tar xvfz /home/somewhere/gShield-2.8.tgz
>  mv gShield-2.8 firewall
>  cd firewall
>
> Then edit gShield.conf to suit your needs.  I start the script from 
> /etc/rc.local by including this line:
>
>  /etc/firewall/gShield.rc
>
> That's it.
>
>  Iain
>
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general