security

J.A. Neitzel jan.listbox at belvento.org
Sun Oct 7 10:06:15 PDT 2001


Daniel Roethlisberger wrote:
> J.A. Neitzel <jan.listbox at belvento.org> wrote:
>> What if this dial-up (via PPP link?) machine has 0 (zero) ports
>> listening for connections. In a situation like this, can a
> 
> This is very theoretical. I've never seen a box which had no
> listening ports at all. Do you agree with me that 99.9% of all
> finished LFS boxes have at least one service running by the time
> they connect to the Internet? There's hardly any box without any
> sshd, telnetd, or ftpd installed, don't you think?

Mmmm, let's see... I think those 99.9% might be by accident listening
ports because a person doesn't quite know all this stuff yet. You are
right, but 99.9% or not..? If they *are* only open by accident, they
are still open. I just think in a case like this, a firewall might give
a false sense of security where there already is none. See what I say?

Theoretical? Probably yes, but LFS by the book in its raw form I think
has no listening ports. Maybe this is different on a machine with a
NIC, but I don't know ICBW...

A raw LFS install basically runs {sys,k}logd, and even syslogd won't
listen on the network without the "-r" flag. Then, as you know, it
will listen on (udp) 514 .

>> firewall serve any really useful purpose? Probably it can, but
>> could you maybe give small example to illustrate?
> 
> There's many things you don't want, even if you don't actually
> have any ports open on purpose. Some of them are deny access to
> accidentally opened ports, stop OS fingerprinting (nmap, queso, x,
> ..), port scanning (nmap, hping, nessus, whatever), drop
> potentially dangerous ICMP types (those "without any socially
> redeeming value" as someone once put it), drop garbage coming from
> reserved address ranges, drop smurfed ICMP Echo Requests, drop TCP
> Timestamps, drop source-routed IP, the list is neverending. And,
> flaws in TCP/IP stacks are found from time to time; if you have it
> all closed down then the chance someone can use it against you is
> a lot smaller. Just like safer sex :o)

And now I know; thanks for the examples/explanations on this firewall
bit. It adds to what I already know. AND... There is still value in
the notion that a firewall won't fix something that is already broken.

> Cheers,
> Dan
-- 
Double cheers =)
Jeff

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list