[NCLUG] ipchains and firewalls

[Michael Dwyer]

rosing at peakfive.com wrote:
> 
> Hi,
> 
> I have 2 questions about ipchains and firewalls.  The first is I
> executed
> 
>   ipchains -R input 8 -j ACCEPT -p tcp -s 130.20.118.155 x11:6009
> 
> along with
> 
>   xhost +
> 
> and I can now have X apps display on my machine from 130.20.118.155.
> Is this all I did? Or did I open up something else by accident?  (I'm
> an ipchains newbie) Where is "x11" defined? I assume it's just a "well
> known" port (something like 6000?).

"Well known ports" are documented in /etc/services.  Your rule looks
rather safe to me.  Note that under UDP, an IP number is not a reliable
test.  However, TCP connections are usually secure enough.

On the other hand, I would personally suggest that you lose this rule,
and instead use the -X flag on SSH to transmit your X sessions securely.

Finally, nmap (www.insecure.org/nmap) is your friend.  Load it on a
remote machine, and run it against your own machine to see which ports
are available to the world at large.

> Second question:  If I buy one of the cheap hub/router/firewall boxes (as
> opposed to using an old machine as a firewall and buying a hub) can I
> have the same kind of control as what I'm doing with ipchains?  A
> specialized box would be more convenient for several reasons but I
> would like to have the kind of control that ipchains seems to provide.

Most of the ones that I have seen (Linksys) will allow you to designate
a single DMZ machine, which incomming traffic is routed to.  IPChains
(or portfw, to be exact) will allow you to forward ports to any number
of machines. So I guess you lose that control...  Otherwise, the
functionality seems to be similar.  I didn't explore it, but the Linksys
seems to have a great number of advanced options, that one might argue,
are easier to get at then the Linux ones.  I think it essentially comes
down to what you are willing to pay for -- time or equipment.