Re: What is this?

In the Usenet newsgroup comp.security.firewalls, in article
<C6R_e.34914$d5.190080@newsb.telia.net>, Anders wrote:

>I make use of callcontrol, this way I can have all my port's in
>dropp/block mode even the more common one like ftp, mail and web.

Don't forget that if you have nothing running on a port, it's closed.
No firewall is needed. For example;

[compton ~]$ netstat -atu
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
[compton ~]$

Not much to exploit there. In fact SSH is only accepting connections
from a handful of addresses on the LAN. So, if I try to connect to a port
without a listener, I see

[compton ~]$ telnet localhost
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$

>But I do realise that if I want to make use of my one mail/web and ftp
>server I do have to open up a litle.

Yes, but you can restrict the range of addresses allowed to connect.
Depending on the application, this may be a local configuration file, or
it may be done with tcp_wrappers (man 5 hosts_access) if the application
is run out of inetd/xinetd or is compiled with libwrap, or it may have
to be done with a firewall setup. As far as mail goes, unless your host
is published as a MX server (see the DNS stuff), no one other than the
port scanners are going to know you have a mail server, and your ISP
could be blocking inbound 25 anyway (all three of mine do) for spam control.

>I do like history, but I will read the more current ones first.

The basic concept of DNS is relatively simple, but there are a lot of
details to look at. Running a DNS server for a home LAN of less than 10
systems is often a waste of effort (just put everything in /etc/hosts),
but popular Linux distributions often have tools to set up a simple
server that is authoritative for the local LAN, and forwards all other
requests to the ISP, caching the result. For example, Red Hat (Fedora FC4)
has

-rw-r--r-- 1 mirror mirror 22749 Jan 5 23:04
caching-nameserver-7.3-3.noarch.rpm

to configure ISC Bind for this purpose.

>Well, in this book (Hacking Exposed, Fourth Edition printed in 2003 by
>Stuart McClure, Joel Scambray, and George Kurtz), I did find this about
>locking traceroute to use only one particular port of you're own desire.

[compton ~]$ whatis hping2
hping2 (8)- send (almost) arbitrary TCP/IP packets to network hosts
[compton ~]$

>Traceroute 1.4a5 [...] is what they clamed should work,

That's June 1997. Not much changed in the later versions (1.4a6 to 1.4a12
came out in the last quarter of 2000), and the differences are not very
significant.

>they also declare that it is a modifyed verion of traceroute, made by
>Michael Schiffman 1997.

I looked around the web site, but didn't find anything useful relating
to the modification.

        Old guy
Received on Sat Oct 15 04:35:29 2005