From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 56F8521F231 for ; Sat, 19 Apr 2014 10:52:31 -0700 (PDT) Received: by mail-we0-f171.google.com with SMTP id t61so2539116wes.16 for ; Sat, 19 Apr 2014 10:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=aE6afgQziQ3RfnEjOI1e6uEtN/MibQ3pIAqILZ0J+w8=; b=0B5/GAc3yY8f7VU8dI8UaPgu7ahQCHnV20y8Jqf7WiMuwofKsRYCKWo29rv6IBzqYl NEVHG+vWXokR9CHMn4PlJybKH/OoNXWoDyp7lnZlEE5BNUcXWIFPHoQKKXdS+C/3Y7tl K0WiTB/wMNddphWc+s3j8kfqf8Y47sfi4bmQWRpXoVguvXAx6p9T5b4q0snH9rNVVXe+ sMn76uCNfPxyrh3OzE1wAtOvjHHUd9LY3EwW6XYsx6W5DKJ0aMmHTK/yOYxW/CzMwE4K 7A/D0tvEegDwilYs9AEC3dt8rzcIpHJ7v+FUdyxPi0YB6S6heKR9LWFABO8gKrLo6V1l jFrQ== MIME-Version: 1.0 X-Received: by 10.180.37.178 with SMTP id z18mr7410991wij.46.1397929948842; Sat, 19 Apr 2014 10:52:28 -0700 (PDT) Received: by 10.216.177.10 with HTTP; Sat, 19 Apr 2014 10:52:28 -0700 (PDT) In-Reply-To: <20140419163638.GX16334@angus.ind.WPI.EDU> References: <20140419163638.GX16334@angus.ind.WPI.EDU> Date: Sat, 19 Apr 2014 10:52:28 -0700 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] open ports on WAN X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2014 17:52:31 -0000 On Sat, Apr 19, 2014 at 9:36 AM, Chuck Anderson wrote: > I was curious to see what services were open on the WAN to the CeroWrt > router itself. It looks like the following services are open and not > firewalled via iptables directly: > > 21 telnet > 22 ssh > 23 ftp > 873 rsync > 12865 netserver > > The only thing blocking access is the xinetd configuration: > > defaults > { > per_source =3D 16 > only_from =3D 192.168.0.0/16 172.16.0.0/12 > instances =3D 18 > max_load =3D 16 > } > Is this a good idea, relying only on this default config to block > access to those services? Or should the iptables firewall default to > blocking everything and only poke holes where they are needed rather > than how it is now--only blocking a list of ports which doesn't > include the above ports? telnet and ftp are actually sensors that detect probe attempts and block off attempts to access any other services from the offending IP. I like the sensor capability, and wish it could trigger adding firewall rules as well. Rsync has no conf file by default, and ssh and netserver are limited by default to the common internal IP addresses. You can tighten these down further if you like. > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article