From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail1.merlins.org (magic.merlins.org [209.81.13.136]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8CB9B208AAB for ; Sun, 25 Nov 2012 12:49:36 -0800 (PST) Received: from merlin by mail1.merlins.org with local (Exim 4.77 #2) id 1Tcj8x-0005Im-SO; Sun, 25 Nov 2012 12:49:35 -0800 Date: Sun, 25 Nov 2012 12:49:35 -0800 From: Marc MERLIN To: Dave Taht Message-ID: <20121125204935.GD24680@merlins.org> References: <20121125203142.GB24680@merlins.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 3.1.5-core2-volpreempt-noide-hm64-20111218/Debian squeeze/sid X-Mailer: Some Outlooks can't quote properly without this header User-Agent: Mutt/1.5.13 (2006-08-11) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: marc@merlins.org Cc: cerowrt-users@lists.bufferbloat.net Subject: Re: [Cerowrt-users] firewalling suggestion X-BeenThere: cerowrt-users@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Support for user problems regarding cerowrt List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2012 20:49:36 -0000 On Sun, Nov 25, 2012 at 09:48:06PM +0100, Dave Taht wrote: > you can allow in ssh in the specific /etc/xinet.d/ssh file. Sure, I can do that. But I don't get the point: why mix iptables firewalling and userspace IP blocking in xinetd? Marc > On Sun, Nov 25, 2012 at 9:31 PM, Marc MERLIN wrote: > > Howdy, > > > > I like having my ssh port available on the internet side so that I can get > > into my router from there if needed. > > > > To do so, I had to edit /etc/xinetd.conf which prevents any connection from > > outside to a bunch of services, including dropbear/ssh. > > > > In turn, this enables a bunch of services to the internet, I'm not looking > > at enabling, so I firewalled them with iptables. > > > > But this brings the question: can the default config be fixed accordingly? > > Firewalling with inetd and hosts.allow is so early 1990's :) > > > > I changed the firewalling config as such: > > > > config rule > > option src 'wan' > > option proto 'tcp udp' > > option target 'ACCEPT' > > option name 'allow outside mgmt' > > option dest_port '22 81 443' > > > > config rule > > option src 'wan' > > option proto 'tcp udp' > > option name 'blockconfig' > > option target 'DROP' > > option dest_port '1-65535' > > > > config rule > > option src 'guest' > > option proto 'tcp udp' > > option dest_port '80 81 137 138 139 445' > > option name 'blockconfig2' > > option target 'DROP' > > > > This isn't one size fits all, but changing the default to allow all from xinetd, > > block all from wan, except a few services, is probably a good idea, no? > > > > Marc > > -- > > "A mouse is a device used to point at the xterm you want to type in" - A.S.R. > > Microsoft is to operating systems .... > > .... what McDonalds is to gourmet cooking > > Home page: http://marc.merlins.org/ > > _______________________________________________ > > Cerowrt-users mailing list > > Cerowrt-users@lists.bufferbloat.net > > https://lists.bufferbloat.net/listinfo/cerowrt-users > > > > -- > Dave Täht > > Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html > -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/