On 4/8/2010 6:59 AM, Adam Morris wrote:
> 1) Usually, its wiser and more secure to silently drop packets to avoid 
> opening yourself to certain reflective attacks.
>   
Could you elaborate? It's not a big deal if I have to drop instead of
reject packets, but I'd like to know more.
> 2) As long as you don't have software running on one of those ports that 
> could be exploited.  I would recommend running a nmap scan on your 
> localhost to see if there are any programs you may not realize using 
> ports above 10000. nmap by default doesn't look at the full port range, 
> so you'll need to specify "-p1-65535" as one of the arguments.
>   
nmap returned some interesting results. I found some ports that should
be closed that were filtered and nmap was able to determine their
services. There were some other ports open, but nmap couldn't determine
the service, so my guess is that these ports were opened by
transmission-daemon to connect to other peers.
> 3) That's a little difficult.  Do they have dynamic DNS set up for 
> themselves?  That's the only way I can think you could set that up.
It's done by their ISPs. If they get disconnected from their ISP (e.g.
modem reset, service outage), they get a new IP address when they
reconnect. I'm mostly worried about myself. Such a situation is rare,
but if I get assigned a new IP address, I'm locked out and there's no
one to let me back in. I could write a script that would replace
Shorewall's rules file with a similar one that would open up ssh to the
public so I could log in, but I'd have open ssh to one of my users, all
of whom (AFAIK) are clueless when it comes to Linux/Unix and the sole
reason they would have shell access would be to execute the script.