Re: question on iptables, port 631 and CUPS



On 3/25/2012 3:22 AM, Tim wrote:
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
If I try to reach a solution based on my limited knowledge, it would
seem that one would want to change the udp to have a 127.0.0.1
sourceIP and a destinIP restricting to the LAN (I am assuming simple
home user usage where there's a single LAN that has one connection
through a router to the outside world). Such would say that any other
udp would get rejected (or allowed by some other rule).
127.x.y.z addresses are not LAN addresses, they're only for the machine
itself (internal communication).

If one is being secure, particularly when you connect your computers to
random networks, or directly to the internet with no intervening gadget
that acts like a firewall, then you probably do not want to use the
default firewall rules that Fedora users (allow everything by default,
have a few specific rules, then a final deny rule). You'd want to go
the opposite way: Deny everything by default, poke holes through for
the few things that you want to allow.

And, of course, configure all your services correctly. Do not rely on a
firewall to stop access to a service that you don't want public access.
Configure *that* service to ignore unwanted connections.

It's particularly important if you're one of those people who are going
to disable the firewall to try and work out some problem. Because it
only takes mere moments for some hacker to do their business on a
vulnerable system. And that moment might be when you've dropped your
firewall.


Tim:

Thanks for the reply.

I appreciate the corrections on my language regarding 127.*

You have clearly detected that I am trying to understand "being secure". I've posted many times trying to get understanding on iptables and I know that once I sort that out, I have to deal with firewall issues. Let me digest your email (along with the other posts regarding exactly what port 3535 is) and get back.

Best,
Paul

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org