need a volunteer

need a volunteer

[brian Moore]

Greetings all.  okay finally got my linux box up and all my services
running the way I want.  my mail server is finally doing what I want.  I
think i have all my ipchains rules setup right and pluged all the security
holes I know of.  the one I'm not clear on is my port 25 security.  if this
machine ever becomes a spam host, I will have to shoot myself so I want to
make real sure that no one except those in my local network can use it.
probably asking for trouble but got all my logging on verbose to see what
happens.  can someone try and use my smtp server and see if you can.  if
you notice anything else, let me know as well.

would really apreciate it.

host is bmoore.yi.org
thanks.  brian.

Re: need a volunteer

[Frank J. Carmickle]

Ok Brian.
How secure do you want this machine that lives on the wonderfully unsecure
network of athome?  I would imagine that you want something that's a
little tighter then what you have right now.  When I portscan you I see 21
23 24 80 110 and 113.  Looks everything else is closed up.  My
recommendation to you is to get ssh on your box and forget about telnet
and ftp for starters.  Why you have pop3 waiting for connections is
something else I would think you would want shut down.  If you really need
http keep it.  However if you have another machine that you can
specifically set up as a firewall you will be a lot happier to know that
all of the trafic to your http server can be logged.  Same goes for
everything else.  

One thing that you really also want to have happening is some ipchains
rules setup so that your machine doesn't respond to portscans or ping
requests.  This should fool most people looking around to find someone
valnerable.  I'll post a ipchain rule set that has a lot of this done for
you already.  Then Kerry can go over it with a fine tooth comb and tell me
what's wrong with it.

HTH
FC


On Fri, 27 Oct 2000, brian Moore wrote:

> Greetings all.  okay finally got my linux box up and all my services
> running the way I want.  my mail server is finally doing what I want.  I
> think i have all my ipchains rules setup right and pluged all the security
> holes I know of.  the one I'm not clear on is my port 25 security.  if this
> machine ever becomes a spam host, I will have to shoot myself so I want to
> make real sure that no one except those in my local network can use it.
> probably asking for trouble but got all my logging on verbose to see what
> happens.  can someone try and use my smtp server and see if you can.  if
> you notice anything else, let me know as well.
> 
> would really apreciate it.
> 
> host is bmoore.yi.org
> thanks.  brian.
> 
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 

Re: need a volunteer

[Kerry Hoath]

Be aware that when a port is open it has to respond correctly in the
3-way handshake so that machines can connect to it. Regarding pop if you must
have pop3 service; use apop or md5 style authentication.
I'd think it better to block incoming pop on the cable interface
and use imap with cram-md5 authentication but that isn't trivial to configure.

Regards, Kerry.
On Sat, Oct 28, 2000 at 02:23:35AM -0400, Frank J. Carmickle wrote:
> Ok Brian.
> How secure do you want this machine that lives on the wonderfully unsecure
> network of athome?  I would imagine that you want something that's a
> little tighter then what you have right now.  When I portscan you I see 21
> 23 24 80 110 and 113.  Looks everything else is closed up.  My
> recommendation to you is to get ssh on your box and forget about telnet
> and ftp for starters.  Why you have pop3 waiting for connections is
> something else I would think you would want shut down.  If you really need
> http keep it.  However if you have another machine that you can
> specifically set up as a firewall you will be a lot happier to know that
> all of the trafic to your http server can be logged.  Same goes for
> everything else.  
> 
> One thing that you really also want to have happening is some ipchains
> rules setup so that your machine doesn't respond to portscans or ping
> requests.  This should fool most people looking around to find someone
> valnerable.  I'll post a ipchain rule set that has a lot of this done for
> you already.  Then Kerry can go over it with a fine tooth comb and tell me
> what's wrong with it.
> 
> HTH
> FC
> 
> 
> On Fri, 27 Oct 2000, brian Moore wrote:
> 
> > Greetings all.  okay finally got my linux box up and all my services
> > running the way I want.  my mail server is finally doing what I want.  I
> > think i have all my ipchains rules setup right and pluged all the security
> > holes I know of.  the one I'm not clear on is my port 25 security.  if this
> > machine ever becomes a spam host, I will have to shoot myself so I want to
> > make real sure that no one except those in my local network can use it.
> > probably asking for trouble but got all my logging on verbose to see what
> > happens.  can someone try and use my smtp server and see if you can.  if
> > you notice anything else, let me know as well.
> > 
> > would really apreciate it.
> > 
> > host is bmoore.yi.org
> > thanks.  brian.
> > 
> > 
> > 
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> > 
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
--
Kerry Hoath: kerry@gotss.eu.org
Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au
ICQ UIN: 62823451

Re: need a volunteer

[Victor Tsaran]

Hey, FC!
Can you please attach this file with chain rules for me as well?
WOuld be much grateful.

Why did you say to shutdown the 110 and 113 ports. They are used for serving
POP3 client. Don't you need to get your Email once in a while? I would
definitely agree with 23 and 21 to be exchanged for SSH service which also
provides sftp.

Vic

******* ******* *******
have you thought of visiting Cybertsar's Internet Kingdom? It is still
alive!
Here is the URL:
http://go.to/vtsaran
or
http://kickme.to/vtsaran

******* ******* *******
----- Original Message -----
From: "Frank J. Carmickle" <frankiec@braille.uwo.ca>
To: "brian Moore" <admin@bmoore.yi.org>
Cc: <speakup@braille.uwo.ca>
Sent: Friday, October 27, 2000 11:23 PM
Subject: Re: need a volunteer


> Ok Brian.
> How secure do you want this machine that lives on the wonderfully unsecure
> network of athome?  I would imagine that you want something that's a
> little tighter then what you have right now.  When I portscan you I see 21
> 23 24 80 110 and 113.  Looks everything else is closed up.  My
> recommendation to you is to get ssh on your box and forget about telnet
> and ftp for starters.  Why you have pop3 waiting for connections is
> something else I would think you would want shut down.  If you really need
> http keep it.  However if you have another machine that you can
> specifically set up as a firewall you will be a lot happier to know that
> all of the trafic to your http server can be logged.  Same goes for
> everything else.
>
> One thing that you really also want to have happening is some ipchains
> rules setup so that your machine doesn't respond to portscans or ping
> requests.  This should fool most people looking around to find someone
> valnerable.  I'll post a ipchain rule set that has a lot of this done for
> you already.  Then Kerry can go over it with a fine tooth comb and tell me
> what's wrong with it.
>
> HTH
> FC
>
>
> On Fri, 27 Oct 2000, brian Moore wrote:
>
> > Greetings all.  okay finally got my linux box up and all my services
> > running the way I want.  my mail server is finally doing what I want.  I
> > think i have all my ipchains rules setup right and pluged all the
security
> > holes I know of.  the one I'm not clear on is my port 25 security.  if
this
> > machine ever becomes a spam host, I will have to shoot myself so I want
to
> > make real sure that no one except those in my local network can use it.
> > probably asking for trouble but got all my logging on verbose to see
what
> > happens.  can someone try and use my smtp server and see if you can.  if
> > you notice anything else, let me know as well.
> >
> > would really apreciate it.
> >
> > host is bmoore.yi.org
> > thanks.  brian.
> >
> >
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: need a volunteer

[Brent Harding]

Regarding security on cable, is it really an issue that if things aren't
set up right that people down the street from you have easier access to
your machine because all those machines down the street are one big
network? I'm not sure if roadrunner works the same as athome, but I've
heard of this online. My friend who uses roadrunner claims to have had his
clock fiddled around with in windows, discovering the error when he tried
to reboot and it gave the message of other users connected on the system,
and network neighborhood brought him to a dos box.
In windows, ports 135, 138, and 139 are probably always open, but you can't
do much too usefull with them.
At 05:43 PM 10/28/00 +1100, you wrote:
>Be aware that when a port is open it has to respond correctly in the
>3-way handshake so that machines can connect to it. Regarding pop if you must
>have pop3 service; use apop or md5 style authentication.
>I'd think it better to block incoming pop on the cable interface
>and use imap with cram-md5 authentication but that isn't trivial to
configure.
>
>Regards, Kerry.
>On Sat, Oct 28, 2000 at 02:23:35AM -0400, Frank J. Carmickle wrote:
>> Ok Brian.
>> How secure do you want this machine that lives on the wonderfully unsecure
>> network of athome?  I would imagine that you want something that's a
>> little tighter then what you have right now.  When I portscan you I see 21
>> 23 24 80 110 and 113.  Looks everything else is closed up.  My
>> recommendation to you is to get ssh on your box and forget about telnet
>> and ftp for starters.  Why you have pop3 waiting for connections is
>> something else I would think you would want shut down.  If you really need
>> http keep it.  However if you have another machine that you can
>> specifically set up as a firewall you will be a lot happier to know that
>> all of the trafic to your http server can be logged.  Same goes for
>> everything else.  
>> 
>> One thing that you really also want to have happening is some ipchains
>> rules setup so that your machine doesn't respond to portscans or ping
>> requests.  This should fool most people looking around to find someone
>> valnerable.  I'll post a ipchain rule set that has a lot of this done for
>> you already.  Then Kerry can go over it with a fine tooth comb and tell me
>> what's wrong with it.
>> 
>> HTH
>> FC
>> 
>> 
>> On Fri, 27 Oct 2000, brian Moore wrote:
>> 
>> > Greetings all.  okay finally got my linux box up and all my services
>> > running the way I want.  my mail server is finally doing what I want.  I
>> > think i have all my ipchains rules setup right and pluged all the
security
>> > holes I know of.  the one I'm not clear on is my port 25 security.  if
this
>> > machine ever becomes a spam host, I will have to shoot myself so I
want to
>> > make real sure that no one except those in my local network can use it.
>> > probably asking for trouble but got all my logging on verbose to see what
>> > happens.  can someone try and use my smtp server and see if you can.  if
>> > you notice anything else, let me know as well.
>> > 
>> > would really apreciate it.
>> > 
>> > host is bmoore.yi.org
>> > thanks.  brian.
>> > 
>> > 
>> > 
>> > _______________________________________________
>> > Speakup mailing list
>> > Speakup@braille.uwo.ca
>> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
>> > 
>> 
>> 
>> _______________________________________________
>> Speakup mailing list
>> Speakup@braille.uwo.ca
>> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>-- 
>--
>Kerry Hoath: kerry@gotss.eu.org
>Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au
>ICQ UIN: 62823451
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>
>

Re: need a volunteer

[Brent Harding]

Does sftp work similar to regular ftp? I've heard another bad service to
leave running is tftp, as I've heard it's unauthenticated anyways. I'd
probably leave pop open, ftp only if I really needed a place to put files
for anonymous ftp, download only of course. Can most programs people use
handle the nonstandard authentication that would make pop safer, like apop
or md5?
In email clients I've used, I've never found settings for md5, but I think
eudora has apop.
At 03:52 AM 10/28/00 -0700, you wrote:
>Hey, FC!
>Can you please attach this file with chain rules for me as well?
>WOuld be much grateful.
>
>Why did you say to shutdown the 110 and 113 ports. They are used for serving
>POP3 client. Don't you need to get your Email once in a while? I would
>definitely agree with 23 and 21 to be exchanged for SSH service which also
>provides sftp.
>
>Vic
>
>******* ******* *******
>have you thought of visiting Cybertsar's Internet Kingdom? It is still
>alive!
>Here is the URL:
>http://go.to/vtsaran
>or
>http://kickme.to/vtsaran
>
>******* ******* *******
>----- Original Message -----
>From: "Frank J. Carmickle" <frankiec@braille.uwo.ca>
>To: "brian Moore" <admin@bmoore.yi.org>
>Cc: <speakup@braille.uwo.ca>
>Sent: Friday, October 27, 2000 11:23 PM
>Subject: Re: need a volunteer
>
>
>> Ok Brian.
>> How secure do you want this machine that lives on the wonderfully unsecure
>> network of athome?  I would imagine that you want something that's a
>> little tighter then what you have right now.  When I portscan you I see 21
>> 23 24 80 110 and 113.  Looks everything else is closed up.  My
>> recommendation to you is to get ssh on your box and forget about telnet
>> and ftp for starters.  Why you have pop3 waiting for connections is
>> something else I would think you would want shut down.  If you really need
>> http keep it.  However if you have another machine that you can
>> specifically set up as a firewall you will be a lot happier to know that
>> all of the trafic to your http server can be logged.  Same goes for
>> everything else.
>>
>> One thing that you really also want to have happening is some ipchains
>> rules setup so that your machine doesn't respond to portscans or ping
>> requests.  This should fool most people looking around to find someone
>> valnerable.  I'll post a ipchain rule set that has a lot of this done for
>> you already.  Then Kerry can go over it with a fine tooth comb and tell me
>> what's wrong with it.
>>
>> HTH
>> FC
>>
>>
>> On Fri, 27 Oct 2000, brian Moore wrote:
>>
>> > Greetings all.  okay finally got my linux box up and all my services
>> > running the way I want.  my mail server is finally doing what I want.  I
>> > think i have all my ipchains rules setup right and pluged all the
>security
>> > holes I know of.  the one I'm not clear on is my port 25 security.  if
>this
>> > machine ever becomes a spam host, I will have to shoot myself so I want
>to
>> > make real sure that no one except those in my local network can use it.
>> > probably asking for trouble but got all my logging on verbose to see
>what
>> > happens.  can someone try and use my smtp server and see if you can.  if
>> > you notice anything else, let me know as well.
>> >
>> > would really apreciate it.
>> >
>> > host is bmoore.yi.org
>> > thanks.  brian.
>> >
>> >
>> >
>> > _______________________________________________
>> > Speakup mailing list
>> > Speakup@braille.uwo.ca
>> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
>> >
>>
>>
>> _______________________________________________
>> Speakup mailing list
>> Speakup@braille.uwo.ca
>> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>
>

Re: need a volunteer

[Kerry Hoath]

Not much; just bluescreen crash or rebbot an unpatched win95 or win98 box
On Sat, Oct 28, 2000 at 02:21:35PM -0500, Brent Harding wrote:
> Regarding security on cable, is it really an issue that if things aren't
> set up right that people down the street from you have easier access to
> your machine because all those machines down the street are one big
> network? I'm not sure if roadrunner works the same as athome, but I've
> heard of this online. My friend who uses roadrunner claims to have had his
> clock fiddled around with in windows, discovering the error when he tried
> to reboot and it gave the message of other users connected on the system,
> and network neighborhood brought him to a dos box.
> In windows, ports 135, 138, and 139 are probably always open, but you can't
> do much too usefull with them.
> At 05:43 PM 10/28/00 +1100, you wrote:
> >Be aware that when a port is open it has to respond correctly in the
> >3-way handshake so that machines can connect to it. Regarding pop if you must
> >have pop3 service; use apop or md5 style authentication.
> >I'd think it better to block incoming pop on the cable interface
> >and use imap with cram-md5 authentication but that isn't trivial to
> configure.
> >
> >Regards, Kerry.
> >On Sat, Oct 28, 2000 at 02:23:35AM -0400, Frank J. Carmickle wrote:
> >> Ok Brian.
> >> How secure do you want this machine that lives on the wonderfully unsecure
> >> network of athome?  I would imagine that you want something that's a
> >> little tighter then what you have right now.  When I portscan you I see 21
> >> 23 24 80 110 and 113.  Looks everything else is closed up.  My
> >> recommendation to you is to get ssh on your box and forget about telnet
> >> and ftp for starters.  Why you have pop3 waiting for connections is
> >> something else I would think you would want shut down.  If you really need
> >> http keep it.  However if you have another machine that you can
> >> specifically set up as a firewall you will be a lot happier to know that
> >> all of the trafic to your http server can be logged.  Same goes for
> >> everything else.  
> >> 
> >> One thing that you really also want to have happening is some ipchains
> >> rules setup so that your machine doesn't respond to portscans or ping
> >> requests.  This should fool most people looking around to find someone
> >> valnerable.  I'll post a ipchain rule set that has a lot of this done for
> >> you already.  Then Kerry can go over it with a fine tooth comb and tell me
> >> what's wrong with it.
> >> 
> >> HTH
> >> FC
> >> 
> >> 
> >> On Fri, 27 Oct 2000, brian Moore wrote:
> >> 
> >> > Greetings all.  okay finally got my linux box up and all my services
> >> > running the way I want.  my mail server is finally doing what I want.  I
> >> > think i have all my ipchains rules setup right and pluged all the
> security
> >> > holes I know of.  the one I'm not clear on is my port 25 security.  if
> this
> >> > machine ever becomes a spam host, I will have to shoot myself so I
> want to
> >> > make real sure that no one except those in my local network can use it.
> >> > probably asking for trouble but got all my logging on verbose to see what
> >> > happens.  can someone try and use my smtp server and see if you can.  if
> >> > you notice anything else, let me know as well.
> >> > 
> >> > would really apreciate it.
> >> > 
> >> > host is bmoore.yi.org
> >> > thanks.  brian.
> >> > 
> >> > 
> >> > 
> >> > _______________________________________________
> >> > Speakup mailing list
> >> > Speakup@braille.uwo.ca
> >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >> > 
> >> 
> >> 
> >> _______________________________________________
> >> Speakup mailing list
> >> Speakup@braille.uwo.ca
> >> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >-- 
> >--
> >Kerry Hoath: kerry@gotss.eu.org
> >Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au
> >ICQ UIN: 62823451
> >
> >
> >_______________________________________________
> >Speakup mailing list
> >Speakup@braille.uwo.ca
> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
> >
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
--
Kerry Hoath: kerry@gotss.eu.org
Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au
ICQ UIN: 62823451

Re: need a volunteer

[Geoff Shang]

On Sat, 28 Oct 2000, Brent Harding wrote:

> In windows, ports 135, 138, and 139 are probably always open, but you can't
> do much too usefull with them.

hmmm.  I only have 139 open on our windows box.  This port is labeled
netbios-ssn which is used for sharing windows drives and probably printers.  
If you have this port open on a cable network and someone manages to hack
their way into your drive shares, no file is safe.

Geoff.



-- 
Geoff Shang <gshang10@scu.edu.au>
ICQ number 43634701

Re: need a volunteer

[Brent Harding]

Is there a way, in the event if isps wanted to use ssh and sftp that
windows users could access this? I know teraterm does it for ssh, but am
not sure what for the sftp, or pop3 behind ssh mechanism mentioned in some
howto about mail some where. The idea of that was so pop passwords were
sent through ssh instead of clear text.
At 09:57 PM 10/28/00 -0700, you wrote:
>Well, I personally don't like the way some Emailers implemented IMAP access.
>One of such Emailers is Outlook Express. Pine has done it well, but not all
>ISP's use IMAP, in which case it would be hard to rely on IMAP only.
>Yes, SFTP works the same way as SSh. However, again, there is the same
>issue: not all ISP's use SSH and therefore you might be bound to using
>Telnet.
>
>******* ******* *******
>have you thought of visiting Cybertsar's Internet Kingdom? It is still
>alive!
>Here is the URL:
>http://go.to/vtsaran
>or
>http://kickme.to/vtsaran
>
>******* ******* *******
>----- Original Message -----
>From: "Brent Harding" <bharding@ufw2.com>
>To: <speakup@braille.uwo.ca>
>Sent: Saturday, October 28, 2000 12:26 PM
>Subject: Re: need a volunteer
>
>
>> Does sftp work similar to regular ftp? I've heard another bad service to
>> leave running is tftp, as I've heard it's unauthenticated anyways. I'd
>> probably leave pop open, ftp only if I really needed a place to put files
>> for anonymous ftp, download only of course. Can most programs people use
>> handle the nonstandard authentication that would make pop safer, like apop
>> or md5?
>> In email clients I've used, I've never found settings for md5, but I think
>> eudora has apop.
>> At 03:52 AM 10/28/00 -0700, you wrote:
>> >Hey, FC!
>> >Can you please attach this file with chain rules for me as well?
>> >WOuld be much grateful.
>> >
>> >Why did you say to shutdown the 110 and 113 ports. They are used for
>serving
>> >POP3 client. Don't you need to get your Email once in a while? I would
>> >definitely agree with 23 and 21 to be exchanged for SSH service which
>also
>> >provides sftp.
>> >
>> >Vic
>> >
>> >******* ******* *******
>> >have you thought of visiting Cybertsar's Internet Kingdom? It is still
>> >alive!
>> >Here is the URL:
>> >http://go.to/vtsaran
>> >or
>> >http://kickme.to/vtsaran
>> >
>> >******* ******* *******
>> >----- Original Message -----
>> >From: "Frank J. Carmickle" <frankiec@braille.uwo.ca>
>> >To: "brian Moore" <admin@bmoore.yi.org>
>> >Cc: <speakup@braille.uwo.ca>
>> >Sent: Friday, October 27, 2000 11:23 PM
>> >Subject: Re: need a volunteer
>> >
>> >
>> >> Ok Brian.
>> >> How secure do you want this machine that lives on the wonderfully
>unsecure
>> >> network of athome?  I would imagine that you want something that's a
>> >> little tighter then what you have right now.  When I portscan you I see
>21
>> >> 23 24 80 110 and 113.  Looks everything else is closed up.  My
>> >> recommendation to you is to get ssh on your box and forget about telnet
>> >> and ftp for starters.  Why you have pop3 waiting for connections is
>> >> something else I would think you would want shut down.  If you really
>need
>> >> http keep it.  However if you have another machine that you can
>> >> specifically set up as a firewall you will be a lot happier to know
>that
>> >> all of the trafic to your http server can be logged.  Same goes for
>> >> everything else.
>> >>
>> >> One thing that you really also want to have happening is some ipchains
>> >> rules setup so that your machine doesn't respond to portscans or ping
>> >> requests.  This should fool most people looking around to find someone
>> >> valnerable.  I'll post a ipchain rule set that has a lot of this done
>for
>> >> you already.  Then Kerry can go over it with a fine tooth comb and tell
>me
>> >> what's wrong with it.
>> >>
>> >> HTH
>> >> FC
>> >>
>> >>
>> >> On Fri, 27 Oct 2000, brian Moore wrote:
>> >>
>> >> > Greetings all.  okay finally got my linux box up and all my services
>> >> > running the way I want.  my mail server is finally doing what I want.
>I
>> >> > think i have all my ipchains rules setup right and pluged all the
>> >security
>> >> > holes I know of.  the one I'm not clear on is my port 25 security.
>if
>> >this
>> >> > machine ever becomes a spam host, I will have to shoot myself so I
>want
>> >to
>> >> > make real sure that no one except those in my local network can use
>it.
>> >> > probably asking for trouble but got all my logging on verbose to see
>> >what
>> >> > happens.  can someone try and use my smtp server and see if you can.
>if
>> >> > you notice anything else, let me know as well.
>> >> >
>> >> > would really apreciate it.
>> >> >
>> >> > host is bmoore.yi.org
>> >> > thanks.  brian.
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Speakup mailing list
>> >> > Speakup@braille.uwo.ca
>> >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
>> >> >
>> >>
>> >>
>> >> _______________________________________________
>> >> Speakup mailing list
>> >> Speakup@braille.uwo.ca
>> >> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>> >
>> >
>> >_______________________________________________
>> >Speakup mailing list
>> >Speakup@braille.uwo.ca
>> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
>> >
>> >
>> >
>>
>>
>> _______________________________________________
>> Speakup mailing list
>> Speakup@braille.uwo.ca
>> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>
>

Re: need a volunteer

[Victor Tsaran]

Well, I personally don't like the way some Emailers implemented IMAP access.
One of such Emailers is Outlook Express. Pine has done it well, but not all
ISP's use IMAP, in which case it would be hard to rely on IMAP only.
Yes, SFTP works the same way as SSh. However, again, there is the same
issue: not all ISP's use SSH and therefore you might be bound to using
Telnet.

******* ******* *******
have you thought of visiting Cybertsar's Internet Kingdom? It is still
alive!
Here is the URL:
http://go.to/vtsaran
or
http://kickme.to/vtsaran

******* ******* *******
----- Original Message -----
From: "Brent Harding" <bharding@ufw2.com>
To: <speakup@braille.uwo.ca>
Sent: Saturday, October 28, 2000 12:26 PM
Subject: Re: need a volunteer


> Does sftp work similar to regular ftp? I've heard another bad service to
> leave running is tftp, as I've heard it's unauthenticated anyways. I'd
> probably leave pop open, ftp only if I really needed a place to put files
> for anonymous ftp, download only of course. Can most programs people use
> handle the nonstandard authentication that would make pop safer, like apop
> or md5?
> In email clients I've used, I've never found settings for md5, but I think
> eudora has apop.
> At 03:52 AM 10/28/00 -0700, you wrote:
> >Hey, FC!
> >Can you please attach this file with chain rules for me as well?
> >WOuld be much grateful.
> >
> >Why did you say to shutdown the 110 and 113 ports. They are used for
serving
> >POP3 client. Don't you need to get your Email once in a while? I would
> >definitely agree with 23 and 21 to be exchanged for SSH service which
also
> >provides sftp.
> >
> >Vic
> >
> >******* ******* *******
> >have you thought of visiting Cybertsar's Internet Kingdom? It is still
> >alive!
> >Here is the URL:
> >http://go.to/vtsaran
> >or
> >http://kickme.to/vtsaran
> >
> >******* ******* *******
> >----- Original Message -----
> >From: "Frank J. Carmickle" <frankiec@braille.uwo.ca>
> >To: "brian Moore" <admin@bmoore.yi.org>
> >Cc: <speakup@braille.uwo.ca>
> >Sent: Friday, October 27, 2000 11:23 PM
> >Subject: Re: need a volunteer
> >
> >
> >> Ok Brian.
> >> How secure do you want this machine that lives on the wonderfully
unsecure
> >> network of athome?  I would imagine that you want something that's a
> >> little tighter then what you have right now.  When I portscan you I see
21
> >> 23 24 80 110 and 113.  Looks everything else is closed up.  My
> >> recommendation to you is to get ssh on your box and forget about telnet
> >> and ftp for starters.  Why you have pop3 waiting for connections is
> >> something else I would think you would want shut down.  If you really
need
> >> http keep it.  However if you have another machine that you can
> >> specifically set up as a firewall you will be a lot happier to know
that
> >> all of the trafic to your http server can be logged.  Same goes for
> >> everything else.
> >>
> >> One thing that you really also want to have happening is some ipchains
> >> rules setup so that your machine doesn't respond to portscans or ping
> >> requests.  This should fool most people looking around to find someone
> >> valnerable.  I'll post a ipchain rule set that has a lot of this done
for
> >> you already.  Then Kerry can go over it with a fine tooth comb and tell
me
> >> what's wrong with it.
> >>
> >> HTH
> >> FC
> >>
> >>
> >> On Fri, 27 Oct 2000, brian Moore wrote:
> >>
> >> > Greetings all.  okay finally got my linux box up and all my services
> >> > running the way I want.  my mail server is finally doing what I want.
I
> >> > think i have all my ipchains rules setup right and pluged all the
> >security
> >> > holes I know of.  the one I'm not clear on is my port 25 security.
if
> >this
> >> > machine ever becomes a spam host, I will have to shoot myself so I
want
> >to
> >> > make real sure that no one except those in my local network can use
it.
> >> > probably asking for trouble but got all my logging on verbose to see
> >what
> >> > happens.  can someone try and use my smtp server and see if you can.
if
> >> > you notice anything else, let me know as well.
> >> >
> >> > would really apreciate it.
> >> >
> >> > host is bmoore.yi.org
> >> > thanks.  brian.
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Speakup mailing list
> >> > Speakup@braille.uwo.ca
> >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >> >
> >>
> >>
> >> _______________________________________________
> >> Speakup mailing list
> >> Speakup@braille.uwo.ca
> >> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
> >_______________________________________________
> >Speakup mailing list
> >Speakup@braille.uwo.ca
> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: need a volunteer

[Kerry Hoath]

Port 139 tcp is used for smb connections;
port 137 udp is used or name resoltuion and 138 is used for netbios datagram
services. Best to block 137-139 tcp and udp for maximum safety or don't
even run smb on the external interfaces I run to networks here
one on 192.168.1.x for windows and my externally visible network.

Regards, Kerry.
On Sun, Oct 29, 2000 at 01:00:38PM +1100, Geoff Shang wrote:
> On Sat, 28 Oct 2000, Brent Harding wrote:
> 
> > In windows, ports 135, 138, and 139 are probably always open, but you can't
> > do much too usefull with them.
> 
> hmmm.  I only have 139 open on our windows box.  This port is labeled
> netbios-ssn which is used for sharing windows drives and probably printers.  
> If you have this port open on a cable network and someone manages to hack
> their way into your drive shares, no file is safe.
> 
> Geoff.
> 
> 
> 
> -- 
> Geoff Shang <gshang10@scu.edu.au>
> ICQ number 43634701
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
--
Kerry Hoath: kerry@gotss.eu.org
Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au
ICQ UIN: 62823451

Re: need a volunteer

[Brent Harding]

Wow, portscanning his system showed that port as filtered tcp, and 135 as
open, 138 was filtered too. At least it appears that a connection isn't
allowed to the outside on that port, maybe 135 is for aol instant messenger
or something.
At 01:00 PM 10/29/00 +1100, you wrote:
>On Sat, 28 Oct 2000, Brent Harding wrote:
>
>> In windows, ports 135, 138, and 139 are probably always open, but you can't
>> do much too usefull with them.
>
>hmmm.  I only have 139 open on our windows box.  This port is labeled
>netbios-ssn which is used for sharing windows drives and probably printers.  
>If you have this port open on a cable network and someone manages to hack
>their way into your drive shares, no file is safe.
>
>Geoff.
>
>
>
>-- 
>Geoff Shang <gshang10@scu.edu.au>
>ICQ number 43634701
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>
>

Re: need a volunteer

[Geoff Shang]

Hi:

Programs like AIM and other such user-space programs generally use ports
greater than 1024.  I would expect that 135 is something less exotic.  But
that raises a good point.  Anyone know where one can find a definitive port
list?  More definitive than /etc/services, that is?

Geoff.


-- 
Geoff Shang <gshang10@scu.edu.au>
ICQ number 43634701

Re: need a volunteer

[Kirk Wood]

Sorry to take so long to find this but here are places to get a pretty
definitave  list of ports and their assignments:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://info.internet.isi.edu/in-notes/rfc/files/rfc1700.txt

The second files actually accounts for every port below 100 (mentioning
which are unassigned). It is some good light reading to do while commuting.
(Right and good luck reading it all.)

Kirk Wood

Re: need a volunteer

[Kirk Wood]

Sorry to take so long to find this but here are places to get a pretty
definitave  list of ports and their assignments:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://info.internet.isi.edu/in-notes/rfc/files/rfc1700.txt

The second files actually accounts for every port below 100 (mentioning
which are unassigned). It is some good light reading to do while commuting.
(Right and good luck reading it all.)

Kirk Wood

Re: need a volunteer

[Victor Tsaran]

I think there is an extension for TeraTerm. See on their web site!
Vic

******* ******* *******
have you thought of visiting Cybertsar's Internet Kingdom? It is still
alive!
Here is the URL:
http://go.to/vtsaran
or
http://kickme.to/vtsaran

******* ******* *******
----- Original Message -----
From: "Brent Harding" <bharding@ufw2.com>
To: <speakup@braille.uwo.ca>
Sent: Saturday, October 28, 2000 6:31 PM
Subject: Re: need a volunteer


> Is there a way, in the event if isps wanted to use ssh and sftp that
> windows users could access this? I know teraterm does it for ssh, but am
> not sure what for the sftp, or pop3 behind ssh mechanism mentioned in some
> howto about mail some where. The idea of that was so pop passwords were
> sent through ssh instead of clear text.
> At 09:57 PM 10/28/00 -0700, you wrote:
> >Well, I personally don't like the way some Emailers implemented IMAP
access.
> >One of such Emailers is Outlook Express. Pine has done it well, but not
all
> >ISP's use IMAP, in which case it would be hard to rely on IMAP only.
> >Yes, SFTP works the same way as SSh. However, again, there is the same
> >issue: not all ISP's use SSH and therefore you might be bound to using
> >Telnet.
> >
> >******* ******* *******
> >have you thought of visiting Cybertsar's Internet Kingdom? It is still
> >alive!
> >Here is the URL:
> >http://go.to/vtsaran
> >or
> >http://kickme.to/vtsaran
> >
> >******* ******* *******
> >----- Original Message -----
> >From: "Brent Harding" <bharding@ufw2.com>
> >To: <speakup@braille.uwo.ca>
> >Sent: Saturday, October 28, 2000 12:26 PM
> >Subject: Re: need a volunteer
> >
> >
> >> Does sftp work similar to regular ftp? I've heard another bad service
to
> >> leave running is tftp, as I've heard it's unauthenticated anyways. I'd
> >> probably leave pop open, ftp only if I really needed a place to put
files
> >> for anonymous ftp, download only of course. Can most programs people
use
> >> handle the nonstandard authentication that would make pop safer, like
apop
> >> or md5?
> >> In email clients I've used, I've never found settings for md5, but I
think
> >> eudora has apop.
> >> At 03:52 AM 10/28/00 -0700, you wrote:
> >> >Hey, FC!
> >> >Can you please attach this file with chain rules for me as well?
> >> >WOuld be much grateful.
> >> >
> >> >Why did you say to shutdown the 110 and 113 ports. They are used for
> >serving
> >> >POP3 client. Don't you need to get your Email once in a while? I would
> >> >definitely agree with 23 and 21 to be exchanged for SSH service which
> >also
> >> >provides sftp.
> >> >
> >> >Vic
> >> >
> >> >******* ******* *******
> >> >have you thought of visiting Cybertsar's Internet Kingdom? It is still
> >> >alive!
> >> >Here is the URL:
> >> >http://go.to/vtsaran
> >> >or
> >> >http://kickme.to/vtsaran
> >> >
> >> >******* ******* *******
> >> >----- Original Message -----
> >> >From: "Frank J. Carmickle" <frankiec@braille.uwo.ca>
> >> >To: "brian Moore" <admin@bmoore.yi.org>
> >> >Cc: <speakup@braille.uwo.ca>
> >> >Sent: Friday, October 27, 2000 11:23 PM
> >> >Subject: Re: need a volunteer
> >> >
> >> >
> >> >> Ok Brian.
> >> >> How secure do you want this machine that lives on the wonderfully
> >unsecure
> >> >> network of athome?  I would imagine that you want something that's a
> >> >> little tighter then what you have right now.  When I portscan you I
see
> >21
> >> >> 23 24 80 110 and 113.  Looks everything else is closed up.  My
> >> >> recommendation to you is to get ssh on your box and forget about
telnet
> >> >> and ftp for starters.  Why you have pop3 waiting for connections is
> >> >> something else I would think you would want shut down.  If you
really
> >need
> >> >> http keep it.  However if you have another machine that you can
> >> >> specifically set up as a firewall you will be a lot happier to know
> >that
> >> >> all of the trafic to your http server can be logged.  Same goes for
> >> >> everything else.
> >> >>
> >> >> One thing that you really also want to have happening is some
ipchains
> >> >> rules setup so that your machine doesn't respond to portscans or
ping
> >> >> requests.  This should fool most people looking around to find
someone
> >> >> valnerable.  I'll post a ipchain rule set that has a lot of this
done
> >for
> >> >> you already.  Then Kerry can go over it with a fine tooth comb and
tell
> >me
> >> >> what's wrong with it.
> >> >>
> >> >> HTH
> >> >> FC
> >> >>
> >> >>
> >> >> On Fri, 27 Oct 2000, brian Moore wrote:
> >> >>
> >> >> > Greetings all.  okay finally got my linux box up and all my
services
> >> >> > running the way I want.  my mail server is finally doing what I
want.
> >I
> >> >> > think i have all my ipchains rules setup right and pluged all the
> >> >security
> >> >> > holes I know of.  the one I'm not clear on is my port 25 security.
> >if
> >> >this
> >> >> > machine ever becomes a spam host, I will have to shoot myself so I
> >want
> >> >to
> >> >> > make real sure that no one except those in my local network can
use
> >it.
> >> >> > probably asking for trouble but got all my logging on verbose to
see
> >> >what
> >> >> > happens.  can someone try and use my smtp server and see if you
can.
> >if
> >> >> > you notice anything else, let me know as well.
> >> >> >
> >> >> > would really apreciate it.
> >> >> >
> >> >> > host is bmoore.yi.org
> >> >> > thanks.  brian.
> >> >> >
> >> >> >
> >> >> >
> >> >> > _______________________________________________
> >> >> > Speakup mailing list
> >> >> > Speakup@braille.uwo.ca
> >> >> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >> >> >
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> Speakup mailing list
> >> >> Speakup@braille.uwo.ca
> >> >> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >> >
> >> >
> >> >_______________________________________________
> >> >Speakup mailing list
> >> >Speakup@braille.uwo.ca
> >> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >> >
> >> >
> >> >
> >>
> >>
> >> _______________________________________________
> >> Speakup mailing list
> >> Speakup@braille.uwo.ca
> >> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
> >_______________________________________________
> >Speakup mailing list
> >Speakup@braille.uwo.ca
> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: need a volunteer

[Victor Tsaran]

Well, that's another thing. If you run Yahoo Messenger, Net Meeting,
Napster, some additional ports might be open.
Best,
Vic

******* ******* *******
have you thought of visiting Cybertsar's Internet Kingdom? It is still
alive!
Here is the URL:
http://go.to/vtsaran
or
http://kickme.to/vtsaran

******* ******* *******
----- Original Message -----
From: "Brent Harding" <bharding@ufw2.com>
To: <speakup@braille.uwo.ca>
Sent: Sunday, October 29, 2000 9:44 AM
Subject: Re: need a volunteer


> Wow, portscanning his system showed that port as filtered tcp, and 135 as
> open, 138 was filtered too. At least it appears that a connection isn't
> allowed to the outside on that port, maybe 135 is for aol instant
messenger
> or something.
> At 01:00 PM 10/29/00 +1100, you wrote:
> >On Sat, 28 Oct 2000, Brent Harding wrote:
> >
> >> In windows, ports 135, 138, and 139 are probably always open, but you
can't
> >> do much too usefull with them.
> >
> >hmmm.  I only have 139 open on our windows box.  This port is labeled
> >netbios-ssn which is used for sharing windows drives and probably
printers.
> >If you have this port open on a cable network and someone manages to hack
> >their way into your drive shares, no file is safe.
> >
> >Geoff.
> >
> >
> >
> >--
> >Geoff Shang <gshang10@scu.edu.au>
> >ICQ number 43634701
> >
> >
> >_______________________________________________
> >Speakup mailing list
> >Speakup@braille.uwo.ca
> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: need a volunteer

[Kerry Hoath]

You might want to put an interface specifier on these rules;
otherwise somebody upstream can spoof ips through your firewall by making
internal ips show up on the external interface so di bind the rule to a
particular interface. This was a big problem with MS proxy 2
that wouldn't let you specify an interface for a particular rule.
On Sat, Oct 28, 2000 at 01:40:23PM -0500, Kirk Wood wrote:
> By the way any port can be instantly closed with ipchains. Again the
> general method is:
> 
> ipchains -A input -p tcp -d your_ip_address:port -j DENY
> 
> This will drop the packet as if it never occured. You can change the last
> part to REJECT in which case an icmp message is sent back to the
> originating host. But if you DENY the packet a port scanner won't see your
> machine. Don't rely on this to say you won't be attacked. It just lowers
> your profile.
> 
> By the way, while ATT at Home is less secure then some ISPs, the internet
> in general is a hostile world. If you really want to secure against it cut
> the connection. Next would be to find an ISP that will place you behind
> their firewall.
> 
> =======
> Kirk Wood
> Cpt.Kirk@1tree.net
> 
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
--
Kerry Hoath: kerry@gotss.eu.org
Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au
ICQ UIN: 62823451

Re: need a volunteer

[Kirk Wood]

By the way any port can be instantly closed with ipchains. Again the
general method is:

ipchains -A input -p tcp -d your_ip_address:port -j DENY

This will drop the packet as if it never occured. You can change the last
part to REJECT in which case an icmp message is sent back to the
originating host. But if you DENY the packet a port scanner won't see your
machine. Don't rely on this to say you won't be attacked. It just lowers
your profile.

By the way, while ATT at Home is less secure then some ISPs, the internet
in general is a hostile world. If you really want to secure against it cut
the connection. Next would be to find an ISP that will place you behind
their firewall.

=======
Kirk Wood
Cpt.Kirk@1tree.net

Re: need a volunteer

[Kirk Wood]

This is not a complete script, but will add security to prevent external
people from accessing your mail host.
ipchains -A input -p tcp -d externalip:25 -j DENY
Going sown the command the -A input add a rule to the input chain. The -p
tcp specifies tcp protocol and is needed to specify a port. The -d
externip:25 specifies anything addressed to your externalip address port
25. (In case you didn't get it, you will substitute your external ip
address here.) The -j DENY causes the packet to simply be dropped. No
further action is taken. No ICMP message is genereated. It is as if the
packet never came. You could opt for REJECT here in which case an ICMP
packet will be sent to let the offending host know that he can't send
here.

Without getting into an argument about security through obsecurity I
choose to be less of a target. I don't count on script kiddies not finding
me. But I prefer to not advertise my presence either.

=======
Kirk Wood
Cpt.Kirk@1tree.net

Re: need a volunteer

[Frank J. Carmickle]

Alright everybody.  Here's Shawn's ipchains script.  It has lots of stuff
in it that some of you may or may not want.  I would suggest that you read
it carefully and edit it to your liking.  It currently logs and blocks
certain related hosts trafic.  This script was the product of being hacked
pretty badly.  

I would also recommend that people use the tcp rapper by placing certain
hosts in the host.allow and hosts.deny files.  

The biggest thing you can do for youself is to test your own security.
Make sure that ever thing that you setup is working the way that you would
expect it to.  Remember any machine connected to a network has some
security risks.

If anyone has suggestions or changes please post them.  I am sure they
would help everyone.

Here it is!  

#!/bin/sh
#
# IPCHAINS-FIREWALL V1.6.2m
#
# ----------------------------------------- Ipchains Firewall and MASQ Script -
#
# Original script by Ian Hall-Beyer (manuka@nerdherd.net)
#
# Contributors:
# terminus (cpm@dotquad.com) (ICQ & DHCP, @home testing)

# ---------------------------------------------------------------- Interfaces -
# Local Interface
# This is the interface that is your link to the world

LOCALIF="eth0"

# Internal Interface
# This is the interface for your local network
# NOTE: INTERNALNET is a *network* address. All host bits should be 0

INTERNALNET="192.168.1.0/24"
INTERNALIF="eth1"

# ------------------------------------------------------- Variable definition -
#
# Set the location of ipchains.

IPCHAINS="/sbin/ipchains"

# You shouldn't need to change anything in the rest of this section

LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"

echo "Internal ($INTERNALIF): $INTERNALNET"
echo "External ($LOCALIF): $LOCALNET"
echo "-------------------------------------"

REMOTENET="0/0"

# -------------------------------------- Flush everything, start from scratch -

echo -n "Flushing rulesets.."

# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."

# Outgoing packets from the internal network
$IPCHAINS -F output   
echo -n "."

# Forwarding/masquerading
$IPCHAINS -F forward
echo -n "."

echo "Done!"

# ---------------------------------- Allow all connections within the network -

echo -n "Internal.."

$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n ".."

echo "Done!"

# -------------------------------------------------- Allow loopback interface -

echo -n "Loopback.."

$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."

echo "Done!"

# -------------------------------------------------------------- Masquerading -

echo -n "Masquerading.."

# don't masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n "."

# don't Masquerade external interface direct
$IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT 
echo -n "."

# masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
echo -n "."

# set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY
echo -n "."

# --------------------- Allow all connections from the network to the outside -

$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT   
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n ".."

echo "Done!"

# ----------------------------------Set telnet, www and FTP for minimum delay -
# This section manipulates the Type Of Service (TOS) bits of the 
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel

echo -n "TOS flags.."

$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10   
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
echo -n "..."

# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
echo -n "."

echo "Done!"

# ---------------------------------------------------------- Trusted Networks -
# Add in any rules to specifically allow connections from hosts/nets that
# would otherwise be blocked.

echo -n "Trusted Networks.."

$IPCHAINS -A input -s 63.108.22.128/255.255.255.224 -d $LOCALNET -j ACCEPT
echo -n "."

# echo "Done!"

# ----------------------------------------------------------- Banned Networks -
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause you problems. These packets are logged.

# echo -n "Banned Networks.."

# This one is generic
# $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j DENY
# echo -n "."

# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d $LOCALNET -j DENY
# echo -n "."

# echo "Done!"

# ------------------------------------------------------ @home-specific rules -
# This @home stuff is pretty specific to me (terminus).  I get massive port
# scans from my neighbors and from pokey admins at @home, so I just got harsh
# and blocked all their stuff, with a few exceptions, listed below.
#
# If someone out there finds out the ip ranges of JUST tci@home, let me know
# so i don't end up blocking ALL cablemodems like it's doing now.

echo -n "Cable Modem Nets.."

# so we can check mail, use the proxy server, hit @home's webpage.
# you will want to set these to your local servers, and uncomment them

# $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET 1023:65355 -j ACCEPT
# $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET 1023:65535  -j ACCEPT
# echo -n "...."

# so we can resolve the above hostnames, allow dns queries back to us
# $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# echo -n ".."

# linux ipchains building script page (I think)
# $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j  ACCEPT
# echo -n "."

# Non-@home users may want to leave this uncommented, just to block all
# the wannabe crackers. Add any @home hosts you want to allow BEFORE this line.

# Blast all other @home connections into infinity and log them.
# $IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY
echo -n "."

echo "Done!"

# ---------------------------- Specific port blocks on the external interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these services
# within your network. 

echo -n "Port Blocks.."
 
# NetBEUI/Samba
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY
echo -n "."

# Microsoft SQL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY
echo -n "."

# Postgres SQL

$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY
echo -n "."

# Network File System
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY
echo -n "."

# X Displays :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
echo -n "."

# X Font Server :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY
echo -n "."

# Back Orifice (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY
echo -n "."

# NetBus (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY
echo -n "."

echo "Done!"

# --------------------------------------------------- High Unprivileged ports -
# These are opened up to allow sockets created by connections allowed by 
# ipchains

echo -n "High Ports.."

$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
echo -n "."

echo "Done!"

# ------------------------------------------------------------ Basic Services -

echo -n "Services.."

# ftp-data (20) and ftp (21)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
# echo -n ".."

# ssh (22)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT
# echo -n "."

# telnet (23)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
# echo -n "."

# smtp (25)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
# echo -n "."

# DNS (53)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
echo -n ".."

# DHCP on LAN side (to make @Home DHCP work) (67/68)
$IPCHAINS -A input -i $INTERNALIF -p udp -s $REMOTENET -d 255.255.255.255/24 67 -j ACCEPT
$IPCHAINS -A output -i $INTERNALIF -p udp -s $REMOTENET -d 255.255.255.255/24 68 -j ACCEPT
# echo -n ".."

# http (80)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
# echo -n "."

# POP-3 (110)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
# echo -n "."

# identd (113)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT
# echo -n "."

# imapd (143)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 143 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 143 -j ACCEPT
# echo -n "."

# nntp (119)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT
# echo -n "."

# https (443)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT
# echo -n "."

# ICQ Services (it's a server service) (4000)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT
# echo -n "."

echo "Done!"

# ---------------------------------------------------------------------- ICMP -

echo -n "ICMP Rules.."

# Use this to deny ICMP attacks from specific addresses
# $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DENY
# echo -n "."

# Allow incoming ICMP
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."

# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n "...."

echo "Done!"

# -------------------------------------------------------- set default policy -

$IPCHAINS -A input -j DENY
$IPCHAINS -A output -j ACCEPT

echo "Setting up Port Forwarding"

echo "DialPad"
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 51200 51201 -c tcp 7175
/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 51210 51210 -c tcp 7175
#echo "NabSter"
#/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 4444
#/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 8888
#/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 8875
#/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 5555
#/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 6698 6699 -c tcp 7777

# /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 113 113 -c tcp 6667
# echo ICQ
# /usr/sbin/ipmasqadm autofw -A -v -u -r udp 2000 4000 -c tcp 4000

echo Speak Freely
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 4074
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 4074
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 4075
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 4075
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 2074
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 2074
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c udp 2075
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c udp 2075
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 2074 2076 -c tcp 2076
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 4074 4075 -c tcp 2076
/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c udp 2074
/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c udp 4074
/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c udp 2075
/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 2076 2076 -c tcp 2076

echo -n ".. Done"
echo ""
echo "Finished Establishing Firewall."