From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ia0-f171.google.com (mail-ia0-f171.google.com [209.85.210.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 7F657208AAB for ; Sun, 25 Nov 2012 14:41:56 -0800 (PST) Received: by mail-ia0-f171.google.com with SMTP id b35so6409840iac.16 for ; Sun, 25 Nov 2012 14:41:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=xk0pa8nmhtNhohKo7dVEhdMigBeuWTGnIaC04guEF2c=; b=E1zDuJB62Kek/h4sbPorawH8L2pbgom3Z6l6R6LGCGymZoHKrQaVh3VUIjyHbZQ8aX iWh5z1Hq6Jh2Nk534fm/Pf41B82NYGJFutB64glBKhm75C/jEf2B6/k4LEcLIZ8PPq66 U9zq/qYPShoXqB+lFzP3aAbWr+Gs3uvRYoNk/H4xP05LeE7F6RFOm6eca+jGykW6TcLi YJLwHWbnlwPbHgANbqr2uYJ6yAq+VjM+2l87IfvHJP0gMDlwWTM0lsp3FECrwzxzvm7M wMa3fxDGOuPwGJzKwBDJFdSi1w9b+gyCLg0u43YOzj6RorvGyCivcnOuBrzhWXpRg9Ls 7beg== MIME-Version: 1.0 Received: by 10.43.92.72 with SMTP id bp8mr8239584icc.49.1353883315473; Sun, 25 Nov 2012 14:41:55 -0800 (PST) Received: by 10.64.135.39 with HTTP; Sun, 25 Nov 2012 14:41:55 -0800 (PST) In-Reply-To: <20121125204935.GD24680@merlins.org> References: <20121125203142.GB24680@merlins.org> <20121125204935.GD24680@merlins.org> Date: Sun, 25 Nov 2012 23:41:55 +0100 Message-ID: From: Dave Taht To: Marc MERLIN Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: cerowrt-users@lists.bufferbloat.net Subject: Re: [Cerowrt-users] firewalling suggestion X-BeenThere: cerowrt-users@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Support for user problems regarding cerowrt List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2012 22:41:56 -0000 In part, I agree with you that iptables is one layer, and more effective in many cases. The specific reasons for using xinetd (back in early cerowrt days) were: 1) I wanted sensors to actively "do something" when someone was up to fishy stuff. So, for example, an attempt to telnet or ftp to the router disables all xinetd run services, notably ssh. I'd like it if instead of firewalling off port 53, attempts to use it as an amplifier were logged and reported back to a home base. Similarly, email attempts when no email server is configured, and participating in rbls.... I'm aware (now) that there exist tools that will do a better job of inserti= ng appropo firewall rules on demand but haven't got around to evaluating them. 2) Save on memory. It was my hope to eventually fire off the local and configuration web servers from xinetd (and by doing so, protect them also from attacks from within and without the network) - but more importantly not waste the ram they use. 3) While it is "so 90s", there are a multitude of other useful services tha= t can run on demand out of xinetd. For example, rsync, and leafnode and jabber. 4) I thought at one point I'd run dhcp out of this too, but dnsmasq has proven small and robust enough (and secure enough) for me to trust to do dhcp. I'm ambivalent about this feature in present day cerowrt, both using it in xinetd and iptables is unessessarily difficult, however I would have approached your problem by adding in the allowed hosts into the xinetd ssh file. On Sun, Nov 25, 2012 at 9:49 PM, Marc MERLIN wrote: > On Sun, Nov 25, 2012 at 09:48:06PM +0100, Dave Taht wrote: >> you can allow in ssh in the specific /etc/xinet.d/ssh file. > > Sure, I can do that. > But I don't get the point: why mix iptables firewalling and userspace IP > blocking in xinetd? > > Marc > >> On Sun, Nov 25, 2012 at 9:31 PM, Marc MERLIN wrote: >> > Howdy, >> > >> > I like having my ssh port available on the internet side so that I can= get >> > into my router from there if needed. >> > >> > To do so, I had to edit /etc/xinetd.conf which prevents any connection= from >> > outside to a bunch of services, including dropbear/ssh. >> > >> > In turn, this enables a bunch of services to the internet, I'm not loo= king >> > at enabling, so I firewalled them with iptables. >> > >> > But this brings the question: can the default config be fixed accordin= gly? >> > Firewalling with inetd and hosts.allow is so early 1990's :) >> > >> > I changed the firewalling config as such: >> > >> > config rule >> > option src 'wan' >> > option proto 'tcp udp' >> > option target 'ACCEPT' >> > option name 'allow outside mgmt' >> > option dest_port '22 81 443' >> > >> > config rule >> > option src 'wan' >> > option proto 'tcp udp' >> > option name 'blockconfig' >> > option target 'DROP' >> > option dest_port '1-65535' >> > >> > config rule >> > option src 'guest' >> > option proto 'tcp udp' >> > option dest_port '80 81 137 138 139 445' >> > option name 'blockconfig2' >> > option target 'DROP' >> > >> > This isn't one size fits all, but changing the default to allow all fr= om xinetd, >> > block all from wan, except a few services, is probably a good idea, no= ? >> > >> > Marc >> > -- >> > "A mouse is a device used to point at the xterm you want to type in" -= A.S.R. >> > Microsoft is to operating systems .... >> > .... what McDonalds is to gourme= t cooking >> > Home page: http://marc.merlins.org/ >> > _______________________________________________ >> > Cerowrt-users mailing list >> > Cerowrt-users@lists.bufferbloat.net >> > https://lists.bufferbloat.net/listinfo/cerowrt-users >> >> >> >> -- >> Dave T=E4ht >> >> Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscri= be.html >> > > -- > "A mouse is a device used to point at the xterm you want to type in" - A.= S.R. > Microsoft is to operating systems .... > .... what McDonalds is to gourmet c= ooking > Home page: http://marc.merlins.org/ --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html