Samba & IPTables

[Charles Bronson]

Dag Wieers wrote:
> On Sat, 2 Aug 2003, Charles Bronson wrote:
> 
> 
>>Dag Wieers wrote:
>>
>>
>>>Maybe a personal firewall approach is needed. Just like it pop-ups a 
>>>yes/no dialog box for every outgoing or incoming connection such a program 
>>>could pop-up and ask to allow incoming calls for certain listen ports.
>>>(The moment a program listens on a port an event is triggered)
>>
>>I will refer back to my point about explaining to laymen first of all what a 
>>"port" is and then what each requested port is used for.
> 
> 
> They don't actually need to know what a port is and certainly not know any 
> port numbers. People understand that when they are doing something 
> network-related and a pop-up appears, it is related.
 >
> And of course the pop-up explains what is going on and if you want to 
> allow it temporarily or permanent. And at any time you can go through the 
> ruleset and the application explains for each rule what it is about.
> 
> It is a great tool to learn more about networking.
You are correct when all networking activities are limited to the Well Known 
Ports. However, what happens when a user gets a request for access to a port 
above 1024? This could be someone trying to hack their pc or it could be a 
legitimate use.

Let's use Bob and Alice (avg users) in an example:
Bob wants to access the faimily computer from work so he installs <insert 
Generic Remote Access Tool name here>. The next day Bob is at work and lights up 
the GRAT client. Alice is home surfing the web and a pop-up asks her if she 
should allow access to port 2029. Pretend your Alice and make the call, what 
would you do?


>>>And then you can decide to allow it from a single address, a network 
>>>range or decide to allow it on a case by case basis.
>>
>>This dips heavily into understanding the complexities of TCP/IP network addressing.
> 
> 
> It doesn't have to. I'm not making this up, this software exists and is 
> used already by people that don't fully understand the complexities of 
> TCP/IP network adressing.
> 
> Zonealarm, Norton Personal Firewall, Symantec Desktop Firewall, 
> Firestarter (Linux), ... Sure it's better if they do understand everything 
> fully and have a major etc etc. That's not what this thread is about.

I have a working lnowledge of some of these tools and will take your word for it 
on the others. Back to my example. Alice is sitting there with this pop-up. 
Assuming she accepted the connection request. Let's assume further that Bob's 
company uses dynamic NAT for their Internet connection. Does Alice or Bob have 
the knowledge to go out to ARIN.net and find out the network address range of 
Bob's corporate network or will she wait by the computer to allow access for 
each previously unused address every time he wants to connect?


> 
> Lokkit is a very limited tool. It is not functional for most of the home 
> users and I don't think it is intended to be. Someone in this thread 
> already refered to it (not supporting samba).
If you look at my previous reply you will see that I already agree with you on 
this point.

* In the above example feel free to swap out a random ISP for Bob's company.


-- 
(¬_    Some days you're the windshield    >o)
//\    Some days you're the bug...        /\\
V_/_                                     _\_V
Charles Bronson