On Sunday 02 January 2005 01:35, Craig White wrote: >On Sun, 2005-01-02 at 01:11 -0500, Gene Heskett wrote: >> And, being root seems to suit me. I have enough firewall and >> natting between here and the dsl modem that I could give you its >> address and you couldn't find it with satan or nmap. 3 ethernet >> cards with iptables bolted down pretty tightly between two of the >> in the firewall box, an 8 port switch for the local net on this >> side of the firewall, a linksys router doing the natting in >> gateway mode on the other side of the firewall have pretty well >> protected me. Only two crack attempts made it as far as the log >> on the firewall box in the last 20 months, and both attempts >> actually came from one of my assigned verizon dns servers. And >> were shut down by portsentry on the first syn packet. > >--- >this comes off as a challenge - not a smart thing. Maybe. I had one of my kids send his best attack tool after me one evening a couple of months ago and he let it cycle thru its kit of windows tricks for about 15 minutes. No response of any kind was seen on his end, and it never made the iptables logs on this end. So then I returned the favor with a late nmap, and for a windows box it was bolted down pretty tight, IIRC I got a response from the ident port and that was it. He's since shut that down. >first off, your public ip address is in the headers. second thing > is, why motivate someone to attempt to get into your system? third > thing is running web browsers and other x applications will execute > with root privileges (java/javascript/rle embedded in images, etc.) > off-site scripts which you have no chance to review - no amount of > firewall or nat affects this. The dark and dirty secret of Windows > is that if you run with Administrator privileges, no amount of > Microsoft updates will secure you, Linux isn't all that different. > >moreover, most people call inbound packet filtering the same as a >firewall when in reality, it isn't close to firewall. A firewall > will inspect all traffic inbound and outbound for suitability, > review and logging. What we call firewalls is nat/masquerade which > lets all activity out to the public internet without any regard to > its purpose - not a firewall. > >You're bold with your belief in your security - not sure it's > warranted. > >Craig A Linksys BESFR41 with the latest flash seems to make a pretty bulletproof firewall all by itself. But now they have a new one out with a much better user interface, I saw its screens the other night from here while it was at the tv station. The first thing I gave Jim hell was for leaving the web access turned on from outside, so I imagine thats been turned off by now. As far as personal actions that might invite problems, I don't by default load images that are offsite from the page I'm headed for, and even if I do click on an .exe file, kmail won't allow it to be run. Besides, I think I've got more common sense than click on some of the friggin spam. I must be doing allright, in 7 years+ now, the only one that caught a viri is me, sniffle sniffle cough cough. :) I never caught anything when I was running a full blown 040+64 megs of ram Amiga 2000 either. Before that, there was the trs80 color computer and os9, which I helped turn os9 into nitros9, and AFAIK there never was a viri written for that. So basicly, I've never developed all those bad windows habits, never had a copy of windows on the premises, ever. If I need a dos, its drdos-7.0.3. Did I mention I hate M$? No, but I imagine one doesn't have to read between the lines much to see that.. :-) :-) -- Cheers Craig, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.31% setiathome rank, not too shabby for a WV hillbilly Yahoo.com attorneys please note, additions to this message by Gene Heskett are: Copyright 2004 by Maurice Eugene Heskett, all rights reserved.