[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Samba & Swat & firewall

To: misc@openbsd.org
Subject: Re: Samba & Swat & firewall
From: "William C. Allen" <allenwc@home.com>
Date: Fri, 9 Feb 2001 16:00:13 -0800
References: <a0501040ab6aa1c3faf70@[24.69.192.8]><20010209152635.A16281@willamette.edu>

>* William C. Allen <allenwc@home.com> [010209 14:21]:
>>  First Question:
>>  I've set my firewall rules so that the ports that netbios uses are
>>  not forwarded to the internet but only sent internally. Those are the
>>  correct ports to deny are they not?
>
>William, you and I have very different firewall philosophies. I tend to
>deny everything and then allow in a few services. Unless you *need* to
>allow everything and then deny a few services, I suggest you try doing
>the same. (And, yes, I think those are the right ports -- tcp and udp
>137, 138, and 139.)

actually, that is how I have it set up, I just worried that I was 
missing the smbd and the nmbd ports, as opposed to the netbios ports! 
Boy my wording is getting worse by the moment. I like to know what 
ports things are on, so, even if I deny all ports externally, I can 
explicitly allow those ports to be forwarded internally. External, 
all ports except . . . deny. Internal, all ports except . . . deny. 
That way there is no risk of Unreal tournament being run internally 
or externally ;-)

I have to read the ipf rules more.

>Yup. Unless someone manages to squirell (sp?)

squirrel . .

>  > While I'm asking stupid questions, if I access the router from inside
>>  the network, eg 192.168.0.1, there is no way for someone outside the
>>  local net to capture the password/username, is there? So, I can use
>>  un-encrypted connections?
>
>You can, if you trust all the hosts on your network. I don't -- on my
>network, we have a windows box, two debian boxes, a plan9 box, and my
>OpenBSD firewall/ftp/named box. While I don't think any of them are
>actively sniffing my network and sending the data elsewhere, it is
>*very* easy to prevent this attack. So I use ssh. :)

On the Windows boxes I run checks for promiscuous mode cards and some 
of the standard sniffers periodically. They have not yet been 
infected to my knowledge. But, point taken.

One more question:

1) is it possible to log swat connections?


-- 
Later . . . 'liam

allenwc@home.com
William C Allen, BLS, EET
"I may be that your sole purpose in life is to serve as a warning to others"
anon.

References:
- Samba & Swat & firewall
  - From: "William C. Allen" <allenwc@home.com>
- Re: Samba & Swat & firewall
  - From: Seth Arnold <sarnold@willamette.edu>

Prev by Date: Re: ipf and tape drive not working
Next by Date: Re: code updates?
Prev by thread: Re: Samba & Swat & firewall
Next by thread: remote XDM login
Index(es):
- Date
- Thread