[Cerowrt-devel] open ports on WAN
Dave Taht
dave.taht at gmail.com
Sat Apr 19 13:52:28 EDT 2014
On Sat, Apr 19, 2014 at 9:36 AM, Chuck Anderson <cra at wpi.edu> wrote:
> I was curious to see what services were open on the WAN to the CeroWrt
> router itself. It looks like the following services are open and not
> firewalled via iptables directly:
>
> 21 telnet
> 22 ssh
> 23 ftp
> 873 rsync
> 12865 netserver
>
> The only thing blocking access is the xinetd configuration:
>
> defaults
> {
> per_source = 16
> only_from = 192.168.0.0/16 172.16.0.0/12
> instances = 18
> max_load = 16
> }
> Is this a good idea, relying only on this default config to block
> access to those services? Or should the iptables firewall default to
> blocking everything and only poke holes where they are needed rather
> than how it is now--only blocking a list of ports which doesn't
> include the above ports?
telnet and ftp are actually sensors that detect probe attempts and
block off attempts to access any other services from the offending
IP.
I like the sensor capability, and wish it could trigger adding firewall
rules as well.
Rsync has no conf file by default, and ssh and netserver are limited by
default to the common internal IP addresses.
You can tighten these down further if you like.
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
More information about the Cerowrt-devel
mailing list