[tclug-list] Trying to set up a simple firewall

[adam.morris at redstargaming.net]

I just sent another email on the list explaining why DROP is bad for
public facing firewalls on another fork of the thread here.

Yeah, that sounds about right.  Most of the newer torrent clients don't
get identified by nmap.  Take the output it gives you when you do a -sV
scan against your machine and send it to nmap with the details of the app. 
Can you get on another computer in the network?  Try doing the nmap there. 
You may have a full whitelist for 127.0.0.1 which is actually probably a
good idea.  If you still see the ports open, try telnetting to them and see
if you get a response.

Try the port knocking that Kelly mentioned.  However understand that port
knocking comes with its own security risks.  If someone is watching when
you do your knocking sequence, they can perform the same sequence later. 
Realistically, unless you're a government organization, this probably won't
become an issue.

-Adam

On Thu, 08 Apr 2010 08:01:26 -0500, Andrew Berg
<bahamutzero8825 at gmail.com>
wrote:
> On 4/8/2010 6:59 AM, Adam Morris wrote:
>> 1) Usually, its wiser and more secure to silently drop packets to avoid

>> opening yourself to certain reflective attacks.
>>   
> Could you elaborate? It's not a big deal if I have to drop instead of
> reject packets, but I'd like to know more.
>> 2) As long as you don't have software running on one of those ports
that 
>> could be exploited.  I would recommend running a nmap scan on your 
>> localhost to see if there are any programs you may not realize using 
>> ports above 10000. nmap by default doesn't look at the full port range,

>> so you'll need to specify "-p1-65535" as one of the arguments.
>>   
> nmap returned some interesting results. I found some ports that should
> be closed that were filtered and nmap was able to determine their
> services. There were some other ports open, but nmap couldn't determine
> the service, so my guess is that these ports were opened by
> transmission-daemon to connect to other peers.
>> 3) That's a little difficult.  Do they have dynamic DNS set up for 
>> themselves?  That's the only way I can think you could set that up.
> It's done by their ISPs. If they get disconnected from their ISP (e.g.
> modem reset, service outage), they get a new IP address when they
> reconnect. I'm mostly worried about myself. Such a situation is rare,
> but if I get assigned a new IP address, I'm locked out and there's no
> one to let me back in. I could write a script that would replace
> Shorewall's rules file with a similar one that would open up ssh to the
> public so I could log in, but I'd have open ssh to one of my users, all
> of whom (AFAIK) are clueless when it comes to Linux/Unix and the sole
> reason they would have shell access would be to execute the script.
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list