On Sun, December 6 1998, John Gonzalez/netMDC admin <[EMAIL PROTECTED]> wrot e: | |it will probably be best to convince this ISP to set up his routers |properly. Among many filters he should have, make SURE has has at least |these few: | |Do not accept packets from OUTSIDE his network DESINTED to HIS network |with HIS network range. Ie. Nothing should be coming in to his network on |his wan link, from within his network. | |Dont allow any packets OUT the network unless it is addressed from WITHIN |his network. | |You can also block certain ranges, that should not be in use. 10.* 192.*, |others.
I'd also add broadcast (global and network-specific) with both all-ones and all-zeros to that list. Consider blocking all UDP packets except to/from port 53 of the name server. Same with TCP except for the relevant services on the relevant machines. If applicable, consider having a SonicWall or maybe one of the Linux-based firewalls I think I've seen floating by on Freshmeat/Linuxtoday - their main advantage as I see it is that they have statefull filtering. Make sure the routers on the way (as far as they under your control) have non-obvious SNMP communities/telnet password (or disable SNMP altogether if you don't need it). Make sure you absolutly need every package installed on your machine (e.g. I didn't install junkbuster because I didn't have any use for it - later it was found to contain a security hole - got the idea?) Another extra step - in addition to the router filtering, install a 2.0.36 kernel with the ipchains patch (and the secure-linux patches?) and add the same filters. Cheers, --Amos --Amos Shapira | "Of course Australia was marked for 133 Shlomo Ben-Yosef st. | glory, for its people had been chosen Jerusalem 93 805 | by the finest judges in England." ISRAEL [EMAIL PROTECTED] | -- Anonymous
