Re: question on iptables, port 631 and CUPS



On 3/25/2012 3:22 AM, Tim wrote:
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
If I try to reach a solution based on my limited knowledge, it would
seem that one would want to change the udp to have a 127.0.0.1
sourceIP and a destinIP restricting to the LAN (I am assuming simple
home user usage where there's a single LAN that has one connection
through a router to the outside world). Such would say that any other
udp would get rejected (or allowed by some other rule).
127.x.y.z addresses are not LAN addresses, they're only for the machine
itself (internal communication).

If one is being secure, particularly when you connect your computers to
random networks, or directly to the internet with no intervening gadget
that acts like a firewall, then you probably do not want to use the
default firewall rules that Fedora users (allow everything by default,
have a few specific rules, then a final deny rule). You'd want to go
the opposite way: Deny everything by default, poke holes through for
the few things that you want to allow.

And, of course, configure all your services correctly. Do not rely on a
firewall to stop access to a service that you don't want public access.
Configure *that* service to ignore unwanted connections.

It's particularly important if you're one of those people who are going
to disable the firewall to try and work out some problem. Because it
only takes mere moments for some hacker to do their business on a
vulnerable system. And that moment might be when you've dropped your
firewall.


Tim:

Thanks for the reply.

I appreciate the corrections on my language regarding 127.*

You have clearly detected that I am trying to understand "being secure". I've posted many times trying to get understanding on iptables and I know that once I sort that out, I have to deal with firewall issues. Let me digest your email (along with the other posts regarding exactly what port 3535 is) and get back.

Best,
Paul

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Relevant Pages

  • Re: question on iptables, port 631 and CUPS
    ... sourceIP and a destinIP restricting to the LAN (I am assuming simple ... udp would get rejected. ... default firewall rules that Fedora users (allow everything by default, ... firewall to stop access to a service that you don't want public access. ...
    (Fedora)
  • Re: How save is a Windows PC on a Linux network.
    ... firewall between the dialup and the internal lan. ... Being of sound mind and body, I never surf with the Windows machine and ... Assuming you trust your firewall, and you know what's running on the ... I have to have it on the lan to access the Linux servers but sometimes it ...
    (comp.os.linux.misc)
  • Re: OWA
    ... 'Thats good news at least about the firewall. ... Tried them both earlier and same error message - 403. ... get ths same error message in and outside of the LAN? ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)
  • Re: Wohin mit dem OpenVPN Server?
    ... Ich geb dem Server eine öffentliche IP und setze ihn in die DMZ, ... Adresse über die Firewall von der DMZ aus ins LAN verbinden... ... Ein kompromittierter VPN-Server ...
    (de.comp.security.firewall)