Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
For your ipchains ruleset, the best way to handle it is to allow
everything behind the firewall to do whatever it wants (with modules on
the firewall as needed), don't allow anything to send initial SYN packets
to the machines behind the firewall (which ipmasq does very efficently),
and only allow SYN packets to be sent to the firewall, which you should
only be running SSH on. This way, a telnet session will not be possible
regardless. Completely shut down xinetd and all other services, and only
run essential daemons that don't use networking and SSH. This is a
semi-strong setup. Protecting machines on the internal LAN from crap like
fragmented packets, spoofing, illegal IPs, etc, helps out a lot.
tcp_wrappers operates at the software level in the TCP/IP level, thus, it
can only protect so much. tcp_wrappers basically intercepts information
from inetd/xinetd and the required daemon, looks at some basic rules the
user puts into /etc/hosts.deny and /etc/hosts.allow, and decides whether
or not to allow communcation. It rarely handles services outside
inetd/xinetd.
ipchains is the best thing in the world because it operates at the
transport level (tcp/udp streams/packets) and internet/network layer (ips,
icmp, etc). It controls all communications to the firewall, and mahines
behind it. For this reason, it is far superior to a software level
security system like tcp_wrappers.
Regards,
Neil
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact