[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipchains




On Tue, 11 Apr 2000, Charles Menzes wrote:
> I just recently finished setting up ipchains on both a test server as well
> as my home machine. I would like to get fairly strict for the server
> platform, which should not be very difficult, however for home use I have
> a question about what implications there would be by allowing free range
> in and out for ports above 1024. I am running X, so I did add a deny for
> any incoming packets to 6000:6063, but other than that, its pretty much
> free game. I am not running nfs, however I do run gnapster and icqnix
> which all use high ports for establishing sessions both as a client and
> server. I could set up specific rulesets for each of these apps, but I was
> curious to hear opinion on what ramifications there are from just allowing
> ACCEPT in/out for >1024.

On the internal machines, run "netstat -nlt" for all tcp port the machine's
listening on (similarly -nlu for udp and -nlw for raw sockets). See all the
stuff under "local address"?  Look for ports greater than 1024.  you should
be able to do something like "lsof -i :port" where you replace "port" with
the port you're interested in.  That'll tell you what process(es) are
listening on that port.  You may have to do it as root to get anything
useful out of lsof...

Anyway, decide if you care about those ports being accessable from outside.
If not, well, block access.  If you think there are users inside that might
be adding programs that bind to a high port but you don't want them to,
either remove that user or (if you're that user) block off the ports you're
concerned about.  You can get a listing of common serices and their
corresponding ports in /etc/services - that oughtta help some.  I personally
wouldn't be terribly concerned, but then I masquerade everything and don't
have non-trusted users, so I really don't have those problems (although
there are others).

--Danny


--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.