Re: [Cerowrt-devel] open ports on WAN

[Dave Taht <dave.taht@gmail.com>]

On Sat, Apr 19, 2014 at 9:36 AM, Chuck Anderson <cra@wpi.edu> wrote:
> I was curious to see what services were open on the WAN to the CeroWrt
> router itself.  It looks like the following services are open and not
> firewalled via iptables directly:
>
> 21 telnet
> 22 ssh
> 23 ftp
> 873 rsync
> 12865 netserver
>
> The only thing blocking access is the xinetd configuration:
>
> defaults
> {
>               per_source = 16
>               only_from = 192.168.0.0/16 172.16.0.0/12
>               instances = 18
>               max_load = 16
> }

> Is this a good idea, relying only on this default config to block
> access to those services?  Or should the iptables firewall default to
> blocking everything and only poke holes where they are needed rather
> than how it is now--only blocking a list of ports which doesn't
> include the above ports?

telnet and ftp are actually sensors that detect probe attempts and
block off attempts to access any other services from the offending
IP.

I like the sensor capability, and wish it could trigger adding firewall
rules as well.

Rsync has no conf file by default, and ssh and netserver are limited by
default to the common internal  IP  addresses.

You  can tighten these down further if you like.

> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article