From: Marc MERLIN <marc@merlins.org>
To: Dave Taht <dave.taht@gmail.com>
Cc: cerowrt-users@lists.bufferbloat.net
Subject: Re: [Cerowrt-users] firewalling suggestion
Date: Sun, 25 Nov 2012 14:56:27 -0800 [thread overview]
Message-ID: <20121125225627.GE24680@merlins.org> (raw)
In-Reply-To: <CAA93jw7UQrNCO34i-UwC6ip_p-MORiS8U-ACnP_9fj9HkA98HA@mail.gmail.com>
On Sun, Nov 25, 2012 at 11:41:55PM +0100, Dave Taht wrote:
> 1) I wanted sensors to actively "do something" when someone was up to
> fishy stuff. So, for example, an attempt to telnet or ftp to the
> router disables all xinetd run services, notably ssh. I'd like it if
> instead of firewalling off port 53, attempts to use it as an amplifier
> were logged and reported back to a home base. Similarly, email
> attempts when no email server is configured, and participating in
> rbls....
I do that with iptables log parsing, although I'm not sure how you get
iptables deny logs on cerowrt, maybe readlog would get them?
> I'm aware (now) that there exist tools that will do a better job of inserting
> appropo firewall rules on demand but haven't got around to evaluating them.
Gotcha.
> 2) Save on memory. It was my hope to eventually fire off the local and
> configuration web servers from xinetd (and by doing so, protect them
> also
> from attacks from within and without the network) - but more importantly
> not waste the ram they use.
I'm not against xinetd. I think on demand starting is a good idea, keep
that.
> 3) While it is "so 90s", there are a multitude of other useful services that can
> run on demand out of xinetd. For example, rsync, and leafnode and jabber.
Sorry I was unclear. xinetd is not "so 90s". Firewalling with it is :)
> I'm ambivalent about this feature in present day cerowrt, both using
> it in xinetd and iptables is unessessarily difficult, however I would
> have approached your problem by adding in the allowed hosts into the
> xinetd ssh file.
I could, as an admin I just don't like the multiple layers of incompatible
and independently configured firewalling.
I did keep xinetd and ssh run from there, it's a good idea like you said, I
just moved the firewalling to iptables where it belongs IMO.
Thanks for explaining, at least now I know I didn't miss something stupid :)
Cheers,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
prev parent reply other threads:[~2012-11-25 22:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-25 20:31 Marc MERLIN
2012-11-25 20:48 ` Dave Taht
2012-11-25 20:49 ` Marc MERLIN
2012-11-25 22:41 ` Dave Taht
2012-11-25 22:56 ` Marc MERLIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121125225627.GE24680@merlins.org \
--to=marc@merlins.org \
--cc=cerowrt-users@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox