From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <marc@merlins.org>
Received: from mail1.merlins.org (magic.merlins.org [209.81.13.136])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id AE0DE208AAB
	for <cerowrt-users@lists.bufferbloat.net>;
	Sun, 25 Nov 2012 12:31:44 -0800 (PST)
Received: from merlin by mail1.merlins.org with local (Exim 4.77 #2)
	id 1Tcire-00041x-F2 for <cerowrt-users@lists.bufferbloat.net>;
	Sun, 25 Nov 2012 12:31:42 -0800
Date: Sun, 25 Nov 2012 12:31:42 -0800
From: Marc MERLIN <marc@merlins.org>
To: cerowrt-users@lists.bufferbloat.net
Message-ID: <20121125203142.GB24680@merlins.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Sysadmin: BOFH
X-URL: http://marc.merlins.org/
X-Operating-System: Proudly running Linux
	3.1.5-core2-volpreempt-noide-hm64-20111218/Debian squeeze/sid
X-Mailer: Some Outlooks can't quote properly without this header
User-Agent: Mutt/1.5.13 (2006-08-11)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: marc@merlins.org
Subject: [Cerowrt-users] firewalling suggestion
X-BeenThere: cerowrt-users@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Support for user problems regarding cerowrt
	<cerowrt-users.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-users>,
	<mailto:cerowrt-users-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-users>
List-Post: <mailto:cerowrt-users@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-users-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-users>,
	<mailto:cerowrt-users-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sun, 25 Nov 2012 20:31:44 -0000

Howdy,

I like having my ssh port available on the internet side so that I can get
into my router from there if needed.

To do so, I had to edit /etc/xinetd.conf which prevents any connection from
outside to a bunch of services, including dropbear/ssh.

In turn, this enables a bunch of services to the internet, I'm not looking
at enabling, so I firewalled them with iptables.

But this brings the question: can the default config be fixed accordingly?
Firewalling with inetd and hosts.allow is so early 1990's :)

I changed the firewalling config as such:

config rule
        option src 'wan'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option name 'allow outside mgmt'
        option dest_port '22 81 443'

config rule
        option src 'wan'
        option proto 'tcp udp'
        option name 'blockconfig'
        option target 'DROP'
        option dest_port '1-65535'

config rule
        option src 'guest'
        option proto 'tcp udp'
        option dest_port '80 81 137 138 139 445'
        option name 'blockconfig2'
        option target 'DROP'

This isn't one size fits all, but changing the default to allow all from xinetd, 
block all from wan, except a few services, is probably a good idea, no?

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/