Find the answer to your Linux question:
Results 1 to 8 of 8
Hi, this is not exactly a question I would ask on a forum like this one, but nevertheless I will ask it. I had an argument with someone about firewalls ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    1

    Firewalls


    Hi, this is not exactly a question I would ask on a forum like this one, but nevertheless I will ask it. I had an argument with someone about firewalls and would like to collect some arguments supporting my view. The person I was talking to said that if you are not running services listening on given ports (say SMTP on port 25), you don't have to block these ports on your firewall. In other words, if your commuter did not have any services running, you would not need a firewall at all. I don't think that is true, but how do I suppor my view? My argumen was that if someone installed a virus listening on a port, say on port 25, my server could be vulnerable to an atttack. But the guy I was arguing with said, that it would have to be myself installing the virus - because viruses don't install "themselves" in Linux as they do in Windows. OK, but there must be other reasons to using firewalls, supporting my view. Are there any kind experienced network adminisrators out there who would like to give me some more examples showing why a firewall blocking a prot would be needed even if there was no service listening on that port?

  2. #2
    Linux Newbie
    Join Date
    Sep 2004
    Location
    UK
    Posts
    161
    Port scanning using GRC ShieldsUP:

    a) Port closed (iptables DROP) and No service on port : There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

    b) Port open and No service on port: Your computer has responded that this port exists but is currently closed to connections.

    and your friend's statement that it would have to be myself installing the virus - because viruses don't install "themselves" in Linux as they do in Windows is correct.

    I tend/prefer to block (DROP) unrequired ports, as it does no harm.
    In a world without walls and fences, who needs Windows and Gates?

  3. #3
    Just Joined!
    Join Date
    Jul 2009
    Posts
    7
    I don't think there is any need to block the port if there isnt any service running on it but obviously you can block the attacker to execute any script from /tmp who might use some port for running in your server which definately help in case that port is blocked.

  4. #4
    Just Joined!
    Join Date
    Feb 2009
    Posts
    23
    Shut everything, and only allow what you want through. That's how anyone running a commercial firewall will approach it.

    Sure if you know exactly what ports and services you've got running, that's great. But are you are really sure you shut down that temporary ftp server you needed to quickly use at 2am? Human error happens - plan for it.

    Just because you are using Linux shouldn't make you lazy on the security front. Some of the most insecure OS's are the straight out of the box Linux distro's that by default every service is running straight after an install.

  5. #5
    Just Joined!
    Join Date
    Aug 2009
    Posts
    2

    Iptables

    Here I am writing down my OUTPUT after giving the
    iptables -L command

    actually I want that specific MAC bypass the proxy(no need to give the proxy settings ) while other should

    Reply plz

    # Generated by iptables-save v1.3.8 on Mon Aug 3 16:45:14 2009
    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1:530]
    :POSTROUTING ACCEPT [1:530]
    COMMIT
    # Completed on Mon Aug 3 16:45:14 2009
    # Generated by iptables-save v1.3.8 on Mon Aug 3 16:45:14 2009
    *nat
    :PREROUTING ACCEPT [193209:14311642]
    :POSTROUTING ACCEPT [43633:2704702]
    :OUTPUT ACCEPT [87176:5364648]
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
    -A POSTROUTING -s 192.168.122.0/255.255.255.0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Mon Aug 3 16:45:14 2009
    # Generated by iptables-save v1.3.8 on Mon Aug 3 16:45:14 2009
    *filter
    :INPUT ACCEPT [3221343:1745521322]
    :FORWARD ACCEPT [322005:107816168]
    :OUTPUT ACCEPT [3113558:1634101429]
    -A INPUT -i eth0 -m mac --mac-source 00:15:B7:33:6A:57 -j ACCEPT
    -A INPUT -i eth0 -m mac --mac-source 00:15:B7:33:6A:57 -j ACCEPT
    -A INPUT -i eth0 -m mac --mac-source 00:15:B7:33:6A:57 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j DROP
    -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j DROP
    -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j DROP
    -A FORWARD -p tcp -m tcp --dport 80 -j DROP
    -A FORWARD -p tcp -m tcp --dport 80 -j DROP
    -A FORWARD -p tcp -m tcp --dport 80 -j DROP
    -A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -p tcp -m tcp --dport 1863 -j DROP
    -A FORWARD -d 207.46.110.0/255.255.255.128 -j DROP
    -A FORWARD -d 207.46.104.20 -j DROP
    -A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -p tcp -m tcp --dport 1863 -j DROP
    -A FORWARD -d 207.46.110.0/255.255.255.128 -j DROP
    -A FORWARD -d 207.46.104.20 -j DROP
    -A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -p tcp -m tcp --dport 1863 -j DROP
    -A FORWARD -d 207.46.110.0/255.255.255.128 -j DROP
    -A FORWARD -d 207.46.104.20 -j DROP
    COMMIT
    # Completed on Mon Aug 3 16:45:14 2009

  6. #6
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    You should start your own thread, rather than hijack someone else's that was started for a different reason entirely.

  7. #7
    Just Joined!
    Join Date
    Aug 2009
    Posts
    2

    Unable to start new thread

    when I try to start new thread he gives me below mentioned error:

    "
    You are only allowed to post URLs to other sites after you have made 15 posts or more.
    "

  8. #8
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    so then remove any url in your post or signature

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •