setting port ranges via Security Level GUI?
Joel
rees at ddcom.co.jp
Mon Oct 25 10:09:43 UTC 2004
Okay, I got this to work. Not sure if it's as secure as I might wish,
but at least it makes the intruder have to spoof an internal address.
I think.
> > >Can it be done?
> > >
> > >If not, what do most people do when opening the netBIOS ports for samba
> > >(those who use samba, that is)? I assume, even though it only buys a
> > >speedbump, most people only open the netBIOS ports to the local net.
> > >
> > >Manual editing of /etc/sysconfig/iptables (in spite of
> > >system-config-securitylevel warning away from that)?
> > >
> > >Incidentally, when adding rules from the shell, I seem to have noticed
> > >that you can't specify multiple protocols and multiple ports in the same
> > >line like
> > >
> > > iptables -A INPUT -p ALL -i eth0 -s 10.5.0.0/22 --destination-port
> > >137:139 -j ACCEPT
> > >
> > >Seems that -p All and --destination-port start:end conflict with each
> > >other. Am I imagining things?
> > >
> > >
> > >
> > You might want to try this, though I currently have my firewall turned
> > off on the Linux box.
> > Windows XP firewall exception for File and Printer Sharing:
> > TCP 139
> > TCP 445
> > UDP 137
> > UDP 138
>
> Thanks.
>
> Doing that with the security widget did the trick. I'll try
> /etc/sysconfig/iptables on Monday.
Here are the four lines I added to /etc/sysconfig/iptables to clear the
firewall for the LAN:
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.5.0.0/25 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.5.0.0/25 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.5.0.0/25 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.5.0.0/25 --dport 445 -j ACCEPT
At least, they were four before your mail browser wrapped them. ;-P
Anybody see any obvious holes in that?
--
Joel <rees at ddcom.co.jp>
More information about the fedora-list
mailing list