[plug] Firewall on gateway

Rennie renene at barekoala.net
Fri Mar 19 14:09:43 WST 2004 

Craig Ringer wrote:

>On Fri, 2004-03-19 at 12:47, Rennie Barnett wrote:
>
>  
>
>>Anyhow I've been able to get Gatekeeper
>>    
>>
>
>Is that the hostname of your firewall?
>
>  
>
That is the firewall

>>to firewall everything except SSH 
>>    
>>
>
>Do you mean that it blocks all incoming new connections except for port
>22 (ssh)? Or something else?
>  
>
The gateway machine, "Gatekeeper", blocks all new incoming connections 
except for port 80

>  
>
>>and 
>>keep on NATing but I seem to be getting significant traffic on unusual ports 
>>like 2206 & 3541 etc..
>>    
>>
>
>Incoming hits to ports on the firewall, or outgoing NATed traffic?
>
>  
>
I'm not 100% but it seems to be outgoing NATed traffic, or related 
incoming?? I'm talking volumes like 5,152,332 "In", 1,558,253 "Out" on 
port 2257 ???!?

I get this info from an app called darkstat 
(http://dmr.ath.cx/net/darkstat/) which is installed on Gatekeeper.

Amongst other things it produces a list of "ports" with the volume of 
traffic In & Out for each of them.

I started darkstat with the following command "darkstat -i ppp0 &", if I 
remember rightly, so I'm assuming that it should be giving only 
information relative to ppp0, although one of the internal network hosts 
(192.168.0.152) is showing up on the "hosts" list, so I'm not quite 
clear as to what the info actually means.

>>Is it a bad idea to block OUTPUT, FORWARD and INPUT on a whole bunch of these 
>>seemingly unnecessary ports?
>>    
>>
>
>It'd be wise to identify what the traffic is for, and doing, first.
>Search google for info on the ports in use. Use 'ethereal' to get a dump
>of the traffic in question, and examine it to see what machine it's
>coming from, and what it's content is. See if you can identify what app
>is generating the traffic, and why. /then/ decide if you want to
>firewall the ports, or if some other action (AdAware, virus scan,
>killing a user, etc) is more appropriate.
>
>Craig Ringer
>
>_______________________________________________
>PLUG discussion list: plug at plug.linux.org.au
>http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
>Committee e-mail: committee at plug.linux.org.au
>
>
>  
>
Thanks heaps for the info Craig, I'll look into it...

Cheers. Rennie

More information about the plug mailing list