Re: [opensuse] samba ports and SuSEfirewall2

On Wed, 8 Apr 2009 21:07:45 lynn wrote:

Phew. Thanks for taking all that time Rodney. Yes. The adsl router does
have a firewall. It's a good idea if SuSEfirewall2 doesn't work. It has
these options:

You're welcome. Actually, scanning log and seeing the problem took less time
than writing the email. Before going too far it may be worth trying the recipe
that Carlos mentioned in an earlier reply. I'd be interested to see if it does
fix the problem (in other words, if I correctly interpreted what I saw in the
wireshark capture file).

Enable DOS and Portscan Protection :
SYN attack :
FIN/URG/PSH attack :
Ping Attack :
Xmas Tree attack :
TCP reset attack :
Null scanning attack :
Ping of Death attack :
SYN/RST SYN/FIN attack :

Which would you suggest setting to 'yes' bearing in mind the my NAS runs a
bittorrent client (ctorrent with dctcs).

I concur with Carlos. Set them all. If you enable UPnP then the bittorrent
client will be able to automatically "punch" a hole in the firewall as
required. That is what UPnP is for - to allow aware applications and firewalls
to open and close access on an as-needed basis. In extreme cases it could be
seen as a security risk - whether you use it or not is entirely up to you. I
have used it on my Linksys router and it does work but the torrent client
needs to be UPnP enabled. Your NAS box doco's should detail what config is
needed if it is supported.

There's also NAT which I've no ports forwarded except ALG as follows(the d-
link default I think):

IPSec (VPN Passthrough) :
RTSP (Online Video Streaming) :
Windows/MSN Messenger : (automatically disabled if UPnP is enabled)
H.323 (Video Conferencing) :

I would not have any NAT ports forwarded from the outside world unless
absolutely necessary (i.e. either you or someone you trust needs to access
your network from outside the firewall) and then only very selectively e.g.
ssh (for remote admin), https (for webmail perhaps - I've used it for that in
the past) and that's about it.

You probably don't neet PPTP or IPSec unless you're running a VPN to another
site. You don't need RTSP unless you're streaming media to others elsewhere on
the net (and IMHO you'd probably be crazy to try that over a dsl connection),
MSN Messenger (or its Linux equivalent) maybe if you use instant messaging,
H.323 most likely not needed and SIP only if you use a VoIP service (e.g.
Skype or another IP telephony service) from inside your LAN and want to
receive incoming calls.

Isn't just NAT good enough for what I want to do? Listen to mp3's and avi's
I have on my laptop? If no one can connect to me from the outside then I'm
OK internally on the lan no?

You only need NAT if you want to connect to a box on your lan from outside the
firewall (i.e. elsewhere on the internet). If you have no need to accept
incoming connections from outside, turn it all OFF.

Cheers, L x

Rodney Baker VK5ZTV

Attachment: signature.asc
Description: This is a digitally signed message part.

Relevant Pages

  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
  • Re: Can I protect myself against network attacks?
    ... > I guess that was one purpose of the attack. ... > had happened if you just used the SP2 firewall which does not warn you ... back, I've seen the firewall crash before my eyes, without warning. ... network attacks, or trojans. ...
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... >>million doesn't change my action of deploying a firewall ONCE. ... They keys can be obtained ... > What I suspect is that you think a special attack will be developed ... the firewall helps protect us. ...
  • Re: I was hacked
    ... Only me noticing that the requests seemed to come from a LAN? ... To secure IIS somewhat, remove all the virtual directories even if they are ... > Do you have some kind of application level firewall on this machine? ... a series of attempts to attack IIS that the IIS log claimed were coming ...