question on iptables, port 631 and CUPS
Paul Allen Newell
pnewell at cs.cmu.edu
Mon Mar 26 07:26:23 UTC 2012
On 3/25/2012 3:22 AM, Tim wrote:
> On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
>> If I try to reach a solution based on my limited knowledge, it would
>> seem that one would want to change the udp to have a 127.0.0.1
>> sourceIP and a destinIP restricting to the LAN (I am assuming simple
>> home user usage where there's a single LAN that has one connection
>> through a router to the outside world). Such would say that any other
>> udp would get rejected (or allowed by some other rule).
> 127.x.y.z addresses are not LAN addresses, they're only for the machine
> itself (internal communication).
>
> If one is being secure, particularly when you connect your computers to
> random networks, or directly to the internet with no intervening gadget
> that acts like a firewall, then you probably do not want to use the
> default firewall rules that Fedora users (allow everything by default,
> have a few specific rules, then a final deny rule). You'd want to go
> the opposite way: Deny everything by default, poke holes through for
> the few things that you want to allow.
>
> And, of course, configure all your services correctly. Do not rely on a
> firewall to stop access to a service that you don't want public access.
> Configure *that* service to ignore unwanted connections.
>
> It's particularly important if you're one of those people who are going
> to disable the firewall to try and work out some problem. Because it
> only takes mere moments for some hacker to do their business on a
> vulnerable system. And that moment might be when you've dropped your
> firewall.
>
Tim:
Thanks for the reply.
I appreciate the corrections on my language regarding 127.*
You have clearly detected that I am trying to understand "being secure".
I've posted many times trying to get understanding on iptables and I
know that once I sort that out, I have to deal with firewall issues. Let
me digest your email (along with the other posts regarding exactly what
port 3535 is) and get back.
Best,
Paul
More information about the users
mailing list