[plug] Firewall on gateway

Rennie renene at barekoala.net
Fri Mar 19 14:21:05 WST 2004


Rennie wrote:

> Craig Ringer wrote:
>
>> On Fri, 2004-03-19 at 12:47, Rennie Barnett wrote:
>>
>>  
>>
>>> Anyhow I've been able to get Gatekeeper
>>>   
>>
>>
>> Is that the hostname of your firewall?
>>
>>  
>>
> That is the firewall
>
>>> to firewall everything except SSH   
>>
>>
>> Do you mean that it blocks all incoming new connections except for port
>> 22 (ssh)? Or something else?
>>  
>>
> The gateway machine, "Gatekeeper", blocks all new incoming connections 
> except for port 80

OOps! that should read "...port 22" not 80

>
>>  
>>
>>> and keep on NATing but I seem to be getting significant traffic on 
>>> unusual ports like 2206 & 3541 etc..
>>>   
>>
>>
>> Incoming hits to ports on the firewall, or outgoing NATed traffic?
>>
>>  
>>
> I'm not 100% but it seems to be outgoing NATed traffic, or related 
> incoming?? I'm talking volumes like 5,152,332 "In", 1,558,253 "Out" on 
> port 2257 ???!?
>
> I get this info from an app called darkstat 
> (http://dmr.ath.cx/net/darkstat/) which is installed on Gatekeeper.
>
> Amongst other things it produces a list of "ports" with the volume of 
> traffic In & Out for each of them.
>
> I started darkstat with the following command "darkstat -i ppp0 &", if 
> I remember rightly, so I'm assuming that it should be giving only 
> information relative to ppp0, although one of the internal network 
> hosts (192.168.0.152) is showing up on the "hosts" list, so I'm not 
> quite clear as to what the info actually means.
>
>>> Is it a bad idea to block OUTPUT, FORWARD and INPUT on a whole bunch 
>>> of these seemingly unnecessary ports?
>>>   
>>
>>
>> It'd be wise to identify what the traffic is for, and doing, first.
>> Search google for info on the ports in use. Use 'ethereal' to get a dump
>> of the traffic in question, and examine it to see what machine it's
>> coming from, and what it's content is. See if you can identify what app
>> is generating the traffic, and why. /then/ decide if you want to
>> firewall the ports, or if some other action (AdAware, virus scan,
>> killing a user, etc) is more appropriate.
>>
>> Craig Ringer
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.linux.org.au
>> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
>> Committee e-mail: committee at plug.linux.org.au
>>
>>
>>  
>>
> Thanks heaps for the info Craig, I'll look into it...
>
> Cheers. Rennie
>
> _______________________________________________
> PLUG discussion list: plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>
>





More information about the plug mailing list