p2p, anonymity and security

Mark J. Dulcey mark at buttery.org
Thu Mar 11 12:38:39 EST 2004


Greg Rundlett wrote:

> So, my first question...Is a Linksys Router doing 'firewall' duty and 
> NAT easy to get past?  If the answer is yes, then what should I do?  Use 
> a firewall-specific distro to convert my old P133MHz box into a Linux 
> firewall?  Maybe someone wants $100 to come over and show me how it's 
> done? (location Newburyport, MA or E. Kingston, NH)

Until you start forwarding some ports for running servers, NAT is 
actually pretty hard to get around; it won't forward any incoming 
connections unless you tell it to. Make sure to set the Linksys box not 
to accept any management connections from the WAN port, or else somebody 
could try to attack it.

If you want to be even more secure, you can set your router to block all 
incoming packets to ports other than the specific services you want to 
be able to use. That would protect you against machines on the LAN 
trying to make connections to unknown services on the outside. This 
takes more work, though, if anybody on the LAN wants to do online gaming 
or the like, since that often requires the use of unusual (and sometimes 
undocumented) ports.

If you forwand any ports to an inside box, that box has to be properly 
secured, paying special attention to any ports that get forwarded to it. 
If you set up a machine to be a DMZ, as some NAT boxes allow (that is, a 
machine that receives ALL incoming ports from the outside world), that 
machine had better be running a really good firewall - it's even more 
sensitive than usual, because anyone who cracks it now has access to 
your LAN and the possibly unsecured machines on it.

If you have any Windows machines on the LAN, it's a good idea to block 
the ports that have been used by the popular Windows exploits: 135, 
137-139, and 445. These should be blocked in both directions (incoming 
and outgoing); there are no commonly used services that use these ports 
that you would ever want to run over the Internet. With those filters in 
place, viruses like Blaster are fairly harmless (though they might 
generate some extra traffic on the LAN), even if machines on your LAN 
are infected.

None of this, of course, will protect against users downloading and 
installing Trojan horses or the like. You still have to watch out for those.



More information about the gnhlug-discuss mailing list