From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail1.merlins.org (magic.merlins.org [209.81.13.136]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id DD37D208AAB for ; Sun, 25 Nov 2012 14:56:28 -0800 (PST) Received: from merlin by mail1.merlins.org with local (Exim 4.77 #2) id 1Tcl7j-00065R-Ma; Sun, 25 Nov 2012 14:56:27 -0800 Date: Sun, 25 Nov 2012 14:56:27 -0800 From: Marc MERLIN To: Dave Taht Message-ID: <20121125225627.GE24680@merlins.org> References: <20121125203142.GB24680@merlins.org> <20121125204935.GD24680@merlins.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 3.1.5-core2-volpreempt-noide-hm64-20111218/Debian squeeze/sid X-Mailer: Some Outlooks can't quote properly without this header User-Agent: Mutt/1.5.13 (2006-08-11) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: marc@merlins.org Cc: cerowrt-users@lists.bufferbloat.net Subject: Re: [Cerowrt-users] firewalling suggestion X-BeenThere: cerowrt-users@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Support for user problems regarding cerowrt List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2012 22:56:29 -0000 On Sun, Nov 25, 2012 at 11:41:55PM +0100, Dave Taht wrote: > 1) I wanted sensors to actively "do something" when someone was up to > fishy stuff. So, for example, an attempt to telnet or ftp to the > router disables all xinetd run services, notably ssh. I'd like it if > instead of firewalling off port 53, attempts to use it as an amplifier > were logged and reported back to a home base. Similarly, email > attempts when no email server is configured, and participating in > rbls.... I do that with iptables log parsing, although I'm not sure how you get iptables deny logs on cerowrt, maybe readlog would get them? > I'm aware (now) that there exist tools that will do a better job of inserting > appropo firewall rules on demand but haven't got around to evaluating them. Gotcha. > 2) Save on memory. It was my hope to eventually fire off the local and > configuration web servers from xinetd (and by doing so, protect them > also > from attacks from within and without the network) - but more importantly > not waste the ram they use. I'm not against xinetd. I think on demand starting is a good idea, keep that. > 3) While it is "so 90s", there are a multitude of other useful services that can > run on demand out of xinetd. For example, rsync, and leafnode and jabber. Sorry I was unclear. xinetd is not "so 90s". Firewalling with it is :) > I'm ambivalent about this feature in present day cerowrt, both using > it in xinetd and iptables is unessessarily difficult, however I would > have approached your problem by adding in the allowed hosts into the > xinetd ssh file. I could, as an admin I just don't like the multiple layers of incompatible and independently configured firewalling. I did keep xinetd and ssh run from there, it's a good idea like you said, I just moved the firewalling to iptables where it belongs IMO. Thanks for explaining, at least now I know I didn't miss something stupid :) Cheers, Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/