![]() |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Samba, note that using netgroup for 'hosts allow' doesn't work, due to (numerous) bugs in the glibc libraries (FSF re-inventing the wheel, again). There are, of course, a bunch of things one can do to beef up one's firewall (read the excellent IP-Chains HOWTO. Here's my current setup: echo 'enable IP masquerading' # anti-spoofing packet filtering based on source for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done # Masquerading rules ... ipchains -P forward DENY ipchains -A forward -s 192.168.0.0/255.255.255.0 -j MASQ ipchains -A forward -s 192.168.204.0/255.255.255.0 -j MASQ # Services we want to have from internal sources but not from the cold, cruel # world.... ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 login -j DENY ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 exec -j DENY ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 shell -j DENY ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 pop-3 -j DENY ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 imap3 -j DENY ipchains -A input -i ppp0 -p udp -d 999.999.999.999 pop-3 -j DENY ipchains -A input -i ppp0 -p udp -d 999.999.999.999 imap3 -j DENY # Ok, rules in place, turn it on echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/modprobe ip_masq_ftp I'm not sure what one does without a static IP address for the firewall, though. The pppd has some options for doing things once a demand mode link goes up.... - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
![]() |
|
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |