Monday, November 12, 2001
Demilitarized zone
The past few days I've been reconfiguring my firewall/proxy server here at home and I must certainly say that it's not quite as easy as I thought it was; and that supporting FTP is singularly annoying.
Prior to my mucking about I had allowed all TCP connections through, and then
excluded the ones I didn't want, which meant that my rules (and I'm
using ipfwadm here) looked like:
ipfwadm -I -a reject -P tcp -W eth1 -D $IP 1:19 ipfwadm -I -a reject -P tcp -W eth1 -D $IP 23:24 ipfwadm -I -a reject -P tcp -W eth1 -D $IP 26:79
And so on. Made it hard to see what ports I did support (and I stopped at 1022 because it seems that Linux 2.0 starts handing out ports at 1023 even though it's supposed to start at 1024 but that's anothe story) and I had to make sure I blocked services on high ports like Squid and I wanted to block ports that stuff like Back Oriface use (not that I'm really worried it'll attack me, but it's always nice to see attempts).
So I started mucking around.
And I'm still fine tuning everything. As Rob pointed out, I'm turning into a paranoid sysadmin.
Sigh.
But it is easier to see what I'm letting through.
