main-request@lists.alug.org.uk wrote:
From: bsamuels@beenthere-donethat.org.uk (Barry Samuels) Subject: [Alug]ADSL and security
My local telephone exchange is becoming broadband enabled at the end of September and I am working on the assumption that I will be able to use it (BT's site says I MAY).
I have a firewall running (Endoshield - very easy to set up) and have just changed it to Bastille which seems to be working (grc.com).
Bastille recommends 'psad' which is also now installed. I had Snort and Samhain installed but do I need these?
Do I need Packet Mangling enabled in the Kernel which it isn't at present?
Oo, lucky you. There are a couple ways to manage it. Are you planning a separate firewall machine eg
adsl -- firwall -- desktops, servers
?
If so, the short version of your design goal is to turn off everything on the firewall except reply packets, then forward ports from the outside to the inside only for what you need. Example:
firewall has a "real" IP of 1.1.1.1, and an "inside" IP of 10.1.1.1
You sould make your gateway 10.1.1.1 on the machines inside the firewall, and set the firewall up to NAT packets from the lan to the outside.
if you have a web server that you want to host at 1.1.1.1 port 80, you would port forward 1.1.1.1 port 80 to 10.1.1.2 port 80, for example.
If you are just surfing the web, reading email, and not running any servers, that's dead easy. You can even just ensure that a single desktop machine isn't running any unwanted services and run without a firewall.
The best ways to check what ports you have open are the following:
nmap localhost (this portscans yourself) lsof -i (this lists any open TCP/IP ports) chkconfig --list | grep :on (this shows what daemons are running on many linux distros)
you can also man iptables to see the built-in firewall commands..
iptables -nvL will list any firewall rules in place
packet mangling is really only necessary if you want to create some fancy custom rules to allow stateful protocols through, to do complex packet tracking, or other stuff outside the realm of a normal home firewall.
If you would like more detail on any of those options, or some sample iptables rule pop up another message and I'm sure that many of us will be able to help!
DB
Dan Beimborn hoon@celticmusic.com wrote:
Oo, lucky you. There are a couple ways to manage it. Are you planning a separate firewall machine eg
adsl -- firwall -- desktops, servers
Nope.
If so, the short version of your design goal is to turn off everything on the firewall except reply packets, then forward ports from the outside to the inside only for what you need. Example:
firewall has a "real" IP of 1.1.1.1, and an "inside" IP of 10.1.1.1
You sould make your gateway 10.1.1.1 on the machines inside the firewall, and set the firewall up to NAT packets from the lan to the outside.
if you have a web server that you want to host at 1.1.1.1 port 80, you would port forward 1.1.1.1 port 80 to 10.1.1.2 port 80, for example.
Whoa! This is a little over my head I'm afraid. I understood the bit up to 'If so'.
If you are just surfing the web, reading email, and not running any servers, that's dead easy. You can even just ensure that a single desktop machine isn't running any unwanted services and run without a firewall.
The best ways to check what ports you have open are the following:
nmap localhost (this portscans yourself) lsof -i (this lists any open TCP/IP ports) chkconfig --list | grep :on (this shows what daemons are running on many linux distros)
you can also man iptables to see the built-in firewall commands..
iptables -nvL will list any firewall rules in place
packet mangling is really only necessary if you want to create some fancy custom rules to allow stateful protocols through, to do complex packet tracking, or other stuff outside the realm of a normal home firewall.
Right so I probably don't need packet mangling. The only reason I asked is that I have seen a message in the logs something along the lines of 'can't load module iptables_mangle'.
If you would like more detail on any of those options, or some sample iptables rule pop up another message and I'm sure that many of us will be able to help!
Bastille seems to set up a good firewall in a very easy manner (for me anyway).
Somebody mentioned Andrews and Arnold who certainly seem to offer a very good service from the remarks I've seen on Usenet but are a little expensive for me. I'm thinking of Plusnet.
I'm not actually desperate to have ADSL but I have worked out that as I currently have two lines, one for the telephone and one for the computer, if I can get ADSL I can then get rid of the second line and my current ISP. The saved cost of those will then mean I will pay only a few pounds extra per month for ADSL if I can get it for around 27 pounds including VAT.
Thanks again for all the replies.
Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
On 2003-09-03 15:45:11 +0100 Barry Samuels bsamuels@beenthere-donethat.org.uk wrote:
Right so I probably don't need packet mangling. The only reason I asked is that I have seen a message in the logs something along the lines of 'can't load module iptables_mangle'.
If you don't need it, it may not be worth worrying about. If you feel like making sure, someone may be able to send clues on how to find out what's trying to load this.
[...]
Somebody mentioned Andrews and Arnold who certainly seem to offer a very good service from the remarks I've seen on Usenet but are a little expensive for me. I'm thinking of Plusnet.
I've not seen much good of Plusnet, but I've not seen much of them. UKFSN is 27.50 per month, according to the leaflet I have here, so just beyond your price. Other random thoughts: Remember to include activation charges. Generally, ISP modems should be avoided: get something known to work, rather than just whatever a manufacturer flogged to the ISP.
MJ Ray markj@cloaked.freeserve.co.uk wrote:
I've not seen much good of Plusnet, but I've not seen much of them.
I've seen a lot of good comments regarding their ADSL service although a number of adverse remarks about the equipment they supply.
UKFSN is 27.50 per month, according to the leaflet I have here, so just beyond your price.
Not necessarily. I don't have a fixed boundary but as I'm retired on a pension I have to watch the pennies a bit. I'll have a look at them. I think someone else may have mentioned them.
Other random thoughts: Remember to include activation charges.
Activation charges, I assume, are a one off payment.
Generally, ISP modems should be avoided: get something known to work, rather than just whatever a manufacturer flogged to the ISP.
I have a small home ethernet network and my mainboard has a spare network port (eth1) so I'm planning to get a router from a local supplier.
That has just prompted another thought. There's no point in me paying somewhere around 70 pounds for a router until I know that ADSL will work on my line.
Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
On Wednesday, Sep 3, 2003, at 17:16 Europe/London, Barry Samuels wrote:
MJ Ray markj@cloaked.freeserve.co.uk wrote:
I've not seen much good of Plusnet, but I've not seen much of them.
I've seen a lot of good comments regarding their ADSL service although a number of adverse remarks about the equipment they supply.
I was lucky with my ADSL to be honest. Zen Internet were offering free activation charge in June I think. 27 quid a month!
I seriously love to switch over to bulldogdsl.com.. wow!
C
Barry Samuels wrote:
MJ Ray markj@cloaked.freeserve.co.uk wrote:
I've not seen much good of Plusnet, but I've not seen much of them.
I've seen a lot of good comments regarding their ADSL service although a number of adverse remarks about the equipment they supply.
Sorry for my late reply on this, but I've had PlusNet for a few months and would recommend them. Good price and I have no complaints about the router they provided me with, although I have no experience of other models to make a comparison.
There was an issue a while back with some downtime now and then on my connection, but PlusNet kept me informed and it turned out to be BT's fault :)
-- Ben "tola" Francis
-
Ben Francis -
bsamuels@beenthere-donethat.org.uk -
Craig -
Dan Beimborn -
MJ Ray