main-request@lists.alug.org.uk wrote:
From: bsamuels@beenthere-donethat.org.uk (Barry Samuels) Subject: [Alug]ADSL and security
My local telephone exchange is becoming broadband enabled at the end of September and I am working on the assumption that I will be able to use it (BT's site says I MAY).
I have a firewall running (Endoshield - very easy to set up) and have just changed it to Bastille which seems to be working (grc.com).
Bastille recommends 'psad' which is also now installed. I had Snort and Samhain installed but do I need these?
Do I need Packet Mangling enabled in the Kernel which it isn't at present?
Oo, lucky you. There are a couple ways to manage it. Are you planning a separate firewall machine eg
adsl -- firwall -- desktops, servers
?
If so, the short version of your design goal is to turn off everything on the firewall except reply packets, then forward ports from the outside to the inside only for what you need. Example:
firewall has a "real" IP of 1.1.1.1, and an "inside" IP of 10.1.1.1
You sould make your gateway 10.1.1.1 on the machines inside the firewall, and set the firewall up to NAT packets from the lan to the outside.
if you have a web server that you want to host at 1.1.1.1 port 80, you would port forward 1.1.1.1 port 80 to 10.1.1.2 port 80, for example.
If you are just surfing the web, reading email, and not running any servers, that's dead easy. You can even just ensure that a single desktop machine isn't running any unwanted services and run without a firewall.
The best ways to check what ports you have open are the following:
nmap localhost (this portscans yourself) lsof -i (this lists any open TCP/IP ports) chkconfig --list | grep :on (this shows what daemons are running on many linux distros)
you can also man iptables to see the built-in firewall commands..
iptables -nvL will list any firewall rules in place
packet mangling is really only necessary if you want to create some fancy custom rules to allow stateful protocols through, to do complex packet tracking, or other stuff outside the realm of a normal home firewall.
If you would like more detail on any of those options, or some sample iptables rule pop up another message and I'm sure that many of us will be able to help!
DB