Re: Samba & Swat & firewall

[Seth Arnold <sarnold@willamette.edu>]

* William C. Allen <allenwc@home.com> [010209 14:21]:
> First Question:
> I've set my firewall rules so that the ports that netbios uses are 
> not forwarded to the internet but only sent internally. Those are the 
> correct ports to deny are they not?

William, you and I have very different firewall philosophies. I tend to
deny everything and then allow in a few services. Unless you *need* to
allow everything and then deny a few services, I suggest you try doing
the same. (And, yes, I think those are the right ports -- tcp and udp
137, 138, and 139.)

> Second Question:
> Swat is web based, so if I deny port 901 from the internet no-one 
> outside the local net can get to it? Right?

Yup. Unless someone manages to squirell (sp?) packets into the local
network through some hole (source-route packets, for instance).

> While I'm asking stupid questions, if I access the router from inside 
> the network, eg 192.168.0.1, there is no way for someone outside the 
> local net to capture the password/username, is there? So, I can use 
> un-encrypted connections?

You can, if you trust all the hosts on your network. I don't -- on my
network, we have a windows box, two debian boxes, a plan9 box, and my
OpenBSD firewall/ftp/named box. While I don't think any of them are
actively sniffing my network and sending the data elsewhere, it is
*very* easy to prevent this attack. So I use ssh. :)

--
Earthlink: The #1 provider of unsolicited bulk email to the Internet.