From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-f171.google.com (mail-ie0-f171.google.com [209.85.223.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8882E208AAB for ; Sun, 25 Nov 2012 12:48:07 -0800 (PST) Received: by mail-ie0-f171.google.com with SMTP id 17so12436362iea.16 for ; Sun, 25 Nov 2012 12:48:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=18XbbGE7Rg7m/K1pOlIKzw4Cz18g6UkOfMRp2N5Z7R4=; b=cfrXD3di5+eKEEpzz1tadb1luwi2LaXP/lIK+v+gwk3neAfKGaKFhtTzSbolSYGPle zmGKQKA338D/Z8b1tC6s0tQW43GIvyVvJAIaf19A8AVDearK3yv5Ugf015CRfw942np/ HKbQbQo6WpeGoxEm4sYEo+GhES3bteLOUKbnOIekkMlAtJGboKRPlGclboBaUCgW1n63 xB71+7dWrKIYk0bqs7QT+16HfxxxXDxQ5JaZQLGeeUhppqNST9BBWdQ/66HES7CyDDNo hgRaboaOmuA++tkCR+8O2zrX0mg/gsv1junTudlT8W65x4cV7S0Wa5ob0B/vdUCsPjNH EqUQ== MIME-Version: 1.0 Received: by 10.50.150.144 with SMTP id ui16mr9202201igb.68.1353876486468; Sun, 25 Nov 2012 12:48:06 -0800 (PST) Received: by 10.64.135.39 with HTTP; Sun, 25 Nov 2012 12:48:06 -0800 (PST) In-Reply-To: <20121125203142.GB24680@merlins.org> References: <20121125203142.GB24680@merlins.org> Date: Sun, 25 Nov 2012 21:48:06 +0100 Message-ID: From: Dave Taht To: Marc MERLIN Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: cerowrt-users@lists.bufferbloat.net Subject: Re: [Cerowrt-users] firewalling suggestion X-BeenThere: cerowrt-users@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Support for user problems regarding cerowrt List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2012 20:48:07 -0000 you can allow in ssh in the specific /etc/xinet.d/ssh file. On Sun, Nov 25, 2012 at 9:31 PM, Marc MERLIN wrote: > Howdy, > > I like having my ssh port available on the internet side so that I can ge= t > into my router from there if needed. > > To do so, I had to edit /etc/xinetd.conf which prevents any connection fr= om > outside to a bunch of services, including dropbear/ssh. > > In turn, this enables a bunch of services to the internet, I'm not lookin= g > at enabling, so I firewalled them with iptables. > > But this brings the question: can the default config be fixed accordingly= ? > Firewalling with inetd and hosts.allow is so early 1990's :) > > I changed the firewalling config as such: > > config rule > option src 'wan' > option proto 'tcp udp' > option target 'ACCEPT' > option name 'allow outside mgmt' > option dest_port '22 81 443' > > config rule > option src 'wan' > option proto 'tcp udp' > option name 'blockconfig' > option target 'DROP' > option dest_port '1-65535' > > config rule > option src 'guest' > option proto 'tcp udp' > option dest_port '80 81 137 138 139 445' > option name 'blockconfig2' > option target 'DROP' > > This isn't one size fits all, but changing the default to allow all from = xinetd, > block all from wan, except a few services, is probably a good idea, no? > > Marc > -- > "A mouse is a device used to point at the xterm you want to type in" - A.= S.R. > Microsoft is to operating systems .... > .... what McDonalds is to gourmet c= ooking > Home page: http://marc.merlins.org/ > _______________________________________________ > Cerowrt-users mailing list > Cerowrt-users@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-users --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html