From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from MAIL1.WPI.EDU (MAIL1.WPI.EDU [130.215.36.91]) by huchra.bufferbloat.net (Postfix) with ESMTP id 6B0EC21F1B0 for ; Sat, 19 Apr 2014 09:36:42 -0700 (PDT) Received: from MAIL1.WPI.EDU (MAIL1.WPI.EDU [130.215.36.91]) by MAIL1.WPI.EDU (8.14.8/8.14.8) with ESMTP id s3JGafmR017845 for ; Sat, 19 Apr 2014 12:36:41 -0400 X-DKIM: Sendmail DKIM Filter v2.8.3 MAIL1.WPI.EDU s3JGafmR017845 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wpi.edu; s=_dkim; t=1397925401; bh=OXAQk8BR3JUk+m/PJv6ssz1rkn856DpkYMw9T88HMOM=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=B/0MPVDvt1TtY84dEymnQ8stl6c0eorcL8CRXNSkf9pSLB0PiPmcxb27NOEvptOfq ikVB7V88HJ6+2RgfOvkBCYjKefh582zzpErgoUIdSJq/4REnKPT2tbPUPZbQgar3FN 70g29YvEnKdPZGTmuTY2SjCUY2o7d5P3ACpSPyyE= Received: from MX1.WPI.EDU (mx1.wpi.edu [130.215.36.141]) by MAIL1.WPI.EDU (8.14.8/8.14.8) with ESMTP id s3JGafxT017842 for ; Sat, 19 Apr 2014 12:36:41 -0400 Received: from angus.ind.WPI.EDU (ANGUS.IND.WPI.EDU [130.215.130.21]) by MX1.WPI.EDU (8.14.4/8.14.4) with ESMTP id s3JGae6K018101 for ; Sat, 19 Apr 2014 12:36:41 -0400 (envelope-from cra@WPI.EDU) Received: from angus.ind.WPI.EDU (localhost [127.0.0.1]) by angus.ind.WPI.EDU (8.14.4/8.14.4) with ESMTP id s3JGadlg003294 for ; Sat, 19 Apr 2014 12:36:39 -0400 Received: (from cra@localhost) by angus.ind.WPI.EDU (8.14.4/8.14.4/Submit) id s3JGadZB003293 for cerowrt-devel@lists.bufferbloat.net; Sat, 19 Apr 2014 12:36:39 -0400 X-Authentication-Warning: angus.ind.WPI.EDU: cra set sender to cra@WPI.EDU using -f Date: Sat, 19 Apr 2014 12:36:39 -0400 From: Chuck Anderson To: cerowrt-devel@lists.bufferbloat.net Message-ID: <20140419163638.GX16334@angus.ind.WPI.EDU> Mail-Followup-To: cerowrt-devel@lists.bufferbloat.net MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-12-10) Subject: [Cerowrt-devel] open ports on WAN X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2014 16:36:42 -0000 I was curious to see what services were open on the WAN to the CeroWrt router itself. It looks like the following services are open and not firewalled via iptables directly: 21 telnet 22 ssh 23 ftp 873 rsync 12865 netserver The only thing blocking access is the xinetd configuration: defaults { per_source = 16 only_from = 192.168.0.0/16 172.16.0.0/12 instances = 18 max_load = 16 } Is this a good idea, relying only on this default config to block access to those services? Or should the iptables firewall default to blocking everything and only poke holes where they are needed rather than how it is now--only blocking a list of ports which doesn't include the above ports?