RE: Must Have apps for the next BDI

Subject: RE: Must Have apps for the next BDI
From: "Mike Joyce" <mike-at-sherline.com>
Date: Mon, 19 May 2003 07:22:57 -0700
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Importance: Normal
In-reply-to: <20030519083921.GF16221-at-wattle.taudelta.com.au>

Opera is redistributable as a binary.

The firewall rule can say something like this, lets assume that the
local subnet is 192.168.123.0/25

allow all from 192.168.123.0/25 to any via interface
drop all from any to any via interface 135-139

This would block all netbios connects outside of the local subnet, I
usually explicitly allow all services under port 1024 and then block all
others than I don't allow.

--snip--
How do most people use emc
--/snip--

I know that most of Sherline's customers are not going to be net savvy,
and won't care at all about services, if they do they will likely be
able to install them themselves, at which point I would assume that they
can secure their own computer.

I have heard that there is a kernel dif for Linux that allows ipfw - I
am not sure though, its not really important which firewall we end up
using. It is more the principle of are we going to use it or not.

-Mike

-----Original Message-----
From: emc-at-nist.gov [emc-at-nist.gov] On Behalf Of John Sheahan
Sent: Monday, May 19, 2003 1:42 AM
To: Multiple recipients of list
Subject: Re: Must Have apps for the next BDI

On Mon, May 19, 2003 at 12:11:36AM -0400, Mike Joyce wrote:
> 
> opera (Netscape and other gecko clients = slow)

 is opera redistributable?  
 (MozillaFirebird is my current favourite)

> 
> I think that adding a firewall would be a great idea, I personally
> prefer ipfw, if you want I can throw together a simple firewall rule
> that would be suited for home use (blocking 135-139 and telnet etc).
> 
> I would also suggest, if we start enabling services that we chroot
> and/or jail them. There are a lot of people who just scan the net
> looking for default redhat installs that are running outdated ssh, or
> wuftpd or something. Even if we release code that is known secure,
there
> are a lot of undocumented sploits floating around out there, that the
> normal home user isn't ready to handle.

I assume the box running the mill is not the primary firewall for the
site. Given that, I'd wonder if the reduced connectivity to other local
machines is worth the benefit of a firewall on that box.

Your comments are very appropriate for a box live on the net - but 
might be overkill for a small network either not net connected or
connected
through another box that masquerades and proxies.   How do most people
use
emc?

Also I thought ipfw was a *bsd specific tool?  I use iptables 
for a 2.4 kernel. ipchains for older ones. 

john

Follow-Ups:
- Re: Must Have apps for the next BDI
  - From: John Sheahan <jrsheahan-at-optushome.com.au>

References:
- Re: Must Have apps for the next BDI
  - From: John Sheahan <jrsheahan-at-optushome.com.au>

Prev by Date: Your details
Next by Date: Re: Must Have apps for the next BDI
Prev by thread: Re: Must Have apps for the next BDI
Next by thread: Re: Must Have apps for the next BDI

Date Index | Thread Index | Back to archive index | Back to Mailing List Page
Problems or questions? Contact