[ale] Silly Firewall question of the week

Transam@cavu.com transam at cavu.com
Sat Jul 7 19:12:52 EDT 2001


> Good morning,

> I managed  to set up my RH7.1 box with the middle
> level of firewall protection (I forgot the term that RH uses).
> I think this firewall blocks any non-root port (above 1024).
> However, just for experimentation, I want to rsh back to my
> box (I'm testing some MPI apps and I don't want to set up
> SSH quite yet for MPI). How do I modify the firewall so
> that I can get rsh access back to box? (I'm behind a mean
> nasty firewall on another box so I'm no too worried about
> rsh-ing back to my box for a limited amount of time).

You simply add a iptables or ipchains rule to allow anyone to connect
to your TCP port 514 for both input and output.  (I'm assuming that
the firewall also is the box that you want to rsh into.)  You would be
advised to have this rule only let certain client IPs do this.

This rule ONLY should be allowed on a network that is trusted, i.e., not
accessible from the Internet and all systems on it and their users are
trusted.

RANT:
The problem with vague security levels that Mandrake (and now RH) use is
that you really don't know what they ARE doing.  It is much better to
at least study and understand the rules generated and what services they
leave running.  Even better, create your own.

Almost every client I've dealt with who confidently has a firewall (both
Linux and Cisco) had them misconfigured such that they were wide open to
attack from the Internet.

When you're done be sure to scan your network from the Internet to ensure
that you correctly set up your firewall.

> TIA,

> Jeff Layton

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My book: "Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list