[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: Samba & IPTables (fwd)
- From: Charles Bronson <packetgeek chuckiechanboys com>
- To: rhl-list redhat com
- Subject: Re: Samba & IPTables (fwd)
- Date: Sat, 02 Aug 2003 16:49:35 -0400
Dag Wieers wrote:
On Sat, 2 Aug 2003, Charles Bronson wrote:VNC, the default is 5900.
It is a great tool to learn more about networking.
You are correct when all networking activities are limited to the Well Known
Ports. However, what happens when a user gets a request for access to a port
above 1024? This could be someone trying to hack their pc or it could be a
What legitimate use access on port > 1024 (on a unknown port) ?
I think it is fairly safe to say that if the user wasn't expecting
anything to happen, he can deny it temporarily (and maybe that should be
the default thing to suggest/advice).
Ok but Bob just lost his connection when he apparently needed it.
It installs by default with the some of the install profiles. But even so, RPM's
are easy to install and most will set the service to run ableit it with very
general conf files.
Let's use Bob and Alice (avg users) in an example:
Bob wants to access the faimily computer from work so he installs <insert
Generic Remote Access Tool name here>. The next day Bob is at work and lights up
the GRAT client. Alice is home surfing the web and a pop-up asks her if she
should allow access to port 2029. Pretend your Alice and make the call, what
would you do?
Well, I think you're not talking about the common case here already. I'm
sure that if bob knows how to install GRAT
and was planning to connect to
home on a system that he shares with his wife. He prepared the personal
VNC doesn't tell you it uses 5900 but that's ok Bob doesn't understand ports
anyway so knowing that VNC uses 5900 doesn't do him any good. He and the
firewall have no common language so Bob can;t tell the firewall about his new
Only if Bob's firewall does reverse DNS AND Bob's company set's their DNS to
answer those queries. Otherwise you get a raw IP address.
Anyway, in this case the pop-up probably says something like:
We noticed someone (from firewall.bobswork.com)
trying to connect
to 'Generic Remote Access Tool' (on port 2029).
As long as the firewall tears open the packet to look at the application layer
or let's it far enough into your computer to see who it wants to talk to.
Assuming your talking about *known* protocols above 1024(because we already
eliminated < 1024 from the discussion) Linux will let ANY program use ANY port
that is not already listening. Therefore a malicious program can grab, for
instance, port 1033 which your method will identify as "local netinfo port"
which sounds pretty harmless.
This traffic is unknown by the firewall and therefor could be
dangerouse. We advise not to allow it unless you understand the
Do You want to allow access to Generic Remote Access Tool from
[Yes] [*No*] [Customize]
If it was a known protocol the personal firewall could give more
information about what it is used for.
(Warning: this is a remote
administration tool, someone with access can completely control your
machine from remote.)Bob's firewall was installed by default during the system install and he does
not know enough about GRAT to know how to preset the firewall and he won't be
home the first time he tries to connect to it...
bob is fairly stupid if he installed the personal firewall and the GRAT
server and didn't think of this before going to work.
He still can call
his wife and tell her to click on Yes ;)
I was being nice and assuming his wife would be there to see it. In many houses
only the cat/dog/goldfish will be there to answer the call ;-)
Firewalls are not around to protect your computer from calls to ports that are
not listening, your computer does that on its own ;-)
Let me also add that if nothing is listening on a port the traffic is
dropped silently (and logged).
My biggest concern is that you're denying
the concept of personal firewalls
I hand configure the IPTables scripts on all of my home computers, so you can
put your concerns aside. However my concern is that you are trivializing what in
actuality is a daunting task and that is not helping to find the solution.
and I don't have time to argue for the
sake of arguing.
Suit yourself but solutions will only come from intelligent and probing discussions.
Your example shows a program that the user knowingly initiates going out to the
Internet. Whereas many of the situations that a firewall protects against are
not user initiated and they come in from the Internet. Which means that the user
is going to have to understand the request and that goes back to the knowledge
I did a quick search to get a screenshot of ZoneAlarm. There are better
examples, I'm sure.
Lokkit is a very limited tool. It is not functional for most of the home
users and I don't think it is intended to be. Someone in this thread
already refered to it (not supporting samba).
If you look at my previous reply you will see that I already agree with you on
Right, after first saying "This statement is just plain wrong. IPTables is
a VERY powerful tool.". Next time you better not use strong language if
you're actually agreeing with me.
Please look at the following quote from earlier in this thread:
---------- Begin inserted quote ------------
>> That's probably what 'Home Users' would expect anyway. The current iptables
>>firewall from Red Hat is a basic tool and limited in functionality.
This statement is just plain wrong. IPTables is a VERY powerful tool. Are you
maybe referring to the firewall configuration tool? If so it is sufficiently
functional for a home user although using it properly would definitely be beyond
----------- End inserted quote --------------
You are saying "The current iptables firewall from Red Hat is a basic tool and
limited in functionality."
And I am saying that you are wrong and IPTable is a VERY powerful tool. After
that I was *again* trying to be courteous and allow for the fact that you may
have been talking about the firewall CONFIGURATION tool in which case I would
agree with you.
Since I will continue to try and be courteous I would appreciate it if you would
try to read my entire message.
Yes I do understand what you are trying to suggest. I am trying to get you to
help form the solution to your stated problem by suggesting that you are
oversimplifying the situation. You see the problem and that makes you a good
candidate to see when the solution has arrived. Why wouldn't you want to help
form the solution to a problem you are having?
I think you understand what I was trying to suggest so for me the thread
ends here. Feel free to find some other cornercases ;)
(¬_ Some days you're the windshield >o)
//\ Some days you're the bug... /\\
[Date Prev][Date Next] [Thread Prev][Thread Next]