Hello, I just want to make sure I''ve got this right. Given all the worms and such, I thought it would be a good idea to ban access to ports from the Internet to my LAN. So, for example, let''s say I wanted to ban access to TCP port 999. I think I would add the following line to my blacklists file: 0.0.0.0/0 tcp 999 I just want to make sure I''ve got that right. I''m administering this remotely and don''t want to lose my network. Thanks! -MikeD
On Mon, 2003-08-25 at 11:04, Mike Dillinger wrote:> Hello, > > I just want to make sure I''ve got this right. > > Given all the worms and such, I thought it would be a good idea to ban > access to ports from the Internet to my LAN. So, for example, let''s say > I wanted to ban access to TCP port 999. I think I would add the > following line to my blacklists file: > 0.0.0.0/0 tcp 999 > > I just want to make sure I''ve got that right. I''m administering this > remotely and don''t want to lose my network. >Yes -- Here''s some examples from my blacklist file: 0.0.0.0/0 udp 1434 0.0.0.0/0 tcp 1433 0.0.0.0/0 tcp 8081 0.0.0.0/0 tcp 57 Note that these entries don''t make your firewall any more secure than it was before assuming that you had the standard "net->all DROP" policy; they merely cut down on the number of messages logged under that policy. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> Message: 3 > Date: 25 Aug 2003 11:25:53 -0700 > From: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] Ban Access to Port > To: Mike Dillinger <miked@softtalker.com> > Cc: shorewall-users <shorewall-users@lists.shorewall.net> > Message-ID: <1061835953.29039.11.camel@wookie.shorewall.net> > Content-Type: text/plain > > On Mon, 2003-08-25 at 11:04, Mike Dillinger wrote: > > Hello, > > > > I just want to make sure I''ve got this right. > > > > Given all the worms and such, I thought it would be a good idea to ban > > access to ports from the Internet to my LAN. So, for example, let''s say > > I wanted to ban access to TCP port 999. I think I would add the > > following line to my blacklists file: > > 0.0.0.0/0 tcp 999 > > > > I just want to make sure I''ve got that right. I''m administering this > > remotely and don''t want to lose my network. > > > > Yes -- Here''s some examples from my blacklist file: > > 0.0.0.0/0 udp 1434 > 0.0.0.0/0 tcp 1433 > 0.0.0.0/0 tcp 8081 > 0.0.0.0/0 tcp 57 > > Note that these entries don''t make your firewall any more secure than it > was before assuming that you had the standard "net->all DROP" policy; > they merely cut down on the number of messages logged under that policy. > > -TomIs it ''cheaper'' to do this in blacklist, rather than in rules or policy? -- _________________________________________ Nachman Yaakov Ziskind, EA, LLM awacs@egps.com Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
On Tue, 2003-08-26 at 10:06, Nachman Yaakov Ziskind wrote:> > Is it ''cheaper'' to do this in blacklist, rather than in rules or policy?It is more expensive in blacklist. Every packet incoming on a blacklist-enabled interface is checked against the blacklist file while only connection requests are checked against rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net