Very Computer

I'm using RH6.1 as a NAT between a DSL Internet connection and a private
network.  All the latest patches are applied periodically.  The machines on
the private network just need to use "standard" Internet services, such as
POP3, WWW, FTP, etc.  My Linux box is the private network's DNS.

Some configuration information is included below.  Have I missed anything?

Thanks.

Rider

on any
replies.

PSS:  This is attempt 2 to post (more ISP problems).  Sorry about any
duplications.  This belongs in c.o.l.security, but I can't seem to post
there.  If some kind person in c.o.l.networking would cross-post it for
me...  :)

Thanks again!

    * * * *

Services running:  Telnet, FTP, named

hosts.allow:
    ALL: 192.168.0.

hosts.deny:
    ALL: ALL

named.conf:
    options
    {
        <snip>
        allow-query
        {
            192.168.0/24;
            127.0.0.1;
        };
        <snip>
    };
    <snip>

ipchains config:
    ipchains -P forward DENY
    ipchains -A forward -s 192.168.0.0/24 -j MASQ
    /sbin/modprobe ip_masq_ftp

Done

Quote:> PSS:  This is attempt 2 to post (more ISP problems).  Sorry about any
> duplications.  This belongs in c.o.l.security, but I can't seem to post
> there.  If some kind person in c.o.l.networking would cross-post it for
> me...  :)

It's already in c.o.l.s.

Quote:> I'm using RH6.1 as a NAT between a DSL Internet connection and a private
> network.  All the latest patches are applied periodically.  The machines
> on the private network just need to use "standard" Internet services,
> such as POP3, WWW, FTP, etc.  My Linux box is the private network's DNS.

> Some configuration information is included below.  Have I missed anything?

[]
I didn't see anything wrong with hosts.{allow,deny}, as long as you're
denying by default then allowing what you need, you'll be OK as far as
inetd+portmapper stuff goes.

Quote:> ipchains config:
>     ipchains -P forward DENY
>     ipchains -A forward -s 192.168.0.0/24 -j MASQ
>     /sbin/modprobe ip_masq_ftp

This is where you're missing something. Like, an
        ipchains -P input DENY
        ipchains -d 0.0.0.0/0.0.0.0 113 -i whateverinterface -j REJECT
and then something creative involving allowing packets without the SYN flag
set and logging incoming stuff that /does/ have SYN set. Oh, and allow DNS
over UDP as well. But that should just about suffice.

HTH :)

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills,         | http://www.glutinous.custard.org

Well, you're kinda leaving yourself wide open to portscans, etc. I guess if
your Linux box isn't offering *anything* to the outside world, then you
might be ok. Personally, I don't take any chances, I firewall my external
interface.

There are several good rc.firewall scripts floating around, but (of course)
I tend to prefer mine. You can check it out at
<http://www.jsmoriss.dyndns.org/linux/rc.firewall>.

LateR!
js.
--

Personal Homepage <http://www.jsmoriss.dyndns.org/>;
UNIX, the Internet, Homebrewing, Cigars, PCS, and other Fun Stuff...
This is Linux Country. On a quiet night you can hear Windows NT reboot!