Re: firewall package for laptop wi-fi client

On Tue, 25 Jan 2011 21:58:02 +0000
Joe <joe@xxxxxxxxxxxxxx> wrote:

On Tue, 25 Jan 2011 15:00:36 -0500
Celejar <celejar@xxxxxxxxx> wrote:

On Tue, 25 Jan 2011 12:51:15 +0000 (UTC)
Camaleón <noelamac@xxxxxxxxx> wrote:


In this scenario, the "LAN" and the "WAN" are at the same "hostile"
level and so both should be treated. Why should you accept
incomming ssh traffic from the "hostile lan/wan"? I shouldn't...
unless:

Exactly my point - that personal firewall 'profiles' are less useful
than they might appear at first blush, since you pretty much need to
treat all traffic, even 'local' traffic, as dangerous when behind a
NAT router.


A laptop will not normally be offering services, so a very basic

My laptop offers lots of services:

~# nmap localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-25 18:49 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000022s latency).
Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
631/tcp open ipp
3128/tcp open squid-http
9999/tcp open abyss

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

[ssh, Exim, dnsmasq, CUPS, privoxy, approx]

although it can be argued that most of these are intended for use by
localhost only, so we can / should block all remote access to them.

iptables setup should be adequate everywhere. I have a second profile
which allows only DHCP, DNS and VPN packets out to the LAN, and once a
VPN is established, DNS goes over it anyway and the default gateway
switches to the VPN server.

This is pretty much equivalent to the Windows 'send all traffic via the
remote server' option, and I use it both on foreign LANs and on mobile
Internet if I need to do anything sensitive. If I just want email
access, ssh into my server is enough, using the standard profile.

All the public wi-fi systems I've tried seem to block most protocols, so
neither ssh nor VPN is possible, and I've given up trying them. Maybe
I'm paranoid, but every time I read about some obscure, devious attack
technique that I would never have believed possible, or exploitable
software bug, I get that little bit more paranoid...

I use RADIUS/EAP-TLS at home, but I can see how that might not be
practical in a pub or cafe.

Interesting, thanks.

Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/20110125222635.2c097ed7.celejar@xxxxxxxxx

Relevant Pages

  • RE: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?
    ... Whether VPN or SSH is appropriate really depends on the situation. ... needing access to a particular server on your internal network would be better ... routing when the VPN is up (no access to internal network when VPN is working). ...
    (Firewall-Wizards)
  • Re: Samba over SSH
    ... try using nfs with tcp connection through ... even in the case of a disconnection of the vpn. ... We use this to connect to a cvs server and it works great. ... >> ssh. ...
    (freebsd-questions)
  • Re: firewall package for laptop wi-fi client
    ... VPN is established, DNS goes over it anyway and the default gateway ... switches to the VPN server. ... access, ssh into my server is enough, using the standard profile. ...
    (Debian-User)
  • Re: [OT] VPN-Technologie
    ... Na ja, wenn man von SSH redet, dann redet man von etwas was exakt ... Denn dank des VPN bist du ... Der Server hat zwar Zugriff auf das Internet, ... gleichzeitig bestehender Verbindungen als SSH. ...
    (de.rec.spiele.computer.action)
  • Re: VPN WinXP Client to Client
    ... I don't see why you can't use either the built-in PPTP VPN or OpenVPN... ... Another option is Secure Shell (SSH) and use a product like WebDrive ... this route I suggest using copSSH as your SSH server package... ... Al Jarvi (MS-MVP Windows Networking) ...
    (microsoft.public.windowsxp.work_remotely)