Re: setting port ranges via Security Level GUI?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Okay, I got this to work. Not sure if it's as secure as I might wish,
but at least it makes the intruder have to spoof an internal address.

I think.

> > >Can it be done?
> > >
> > >If not, what do most people do when opening the netBIOS ports for samba
> > >(those who use samba, that is)? I assume, even though it only buys a
> > >speedbump, most people only open the netBIOS ports to the local net.
> > >
> > >Manual editing of /etc/sysconfig/iptables (in spite of
> > >system-config-securitylevel warning away from that)?
> > >
> > >Incidentally, when adding rules from the shell, I seem to have noticed
> > >that you can't specify multiple protocols and multiple ports in the same
> > >line like
> > >
> > >    iptables -A INPUT -p ALL -i eth0 -s 10.5.0.0/22 --destination-port
> > >137:139 -j ACCEPT
> > >
> > >Seems that -p All and --destination-port start:end conflict with each
> > >other. Am I imagining things?
> > >
> > >  
> > >
> > You might want to try this, though I currently have my firewall turned 
> > off on the Linux box.
> > Windows XP firewall exception for File and Printer Sharing:
> > TCP 139
> > TCP 445
> > UDP 137
> > UDP 138
> 
> Thanks. 
> 
> Doing that with the security widget did the trick. I'll try
> /etc/sysconfig/iptables on Monday.

Here are the four lines I added to /etc/sysconfig/iptables to clear the
firewall for the LAN:

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.5.0.0/25 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.5.0.0/25 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.5.0.0/25 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.5.0.0/25 --dport 445 -j ACCEPT

At least, they were four before your mail browser wrapped them. ;-P 

Anybody see any obvious holes in that?

-- 
Joel <rees@xxxxxxxxxxx>


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux