* * * * *
                                        
                               Demilitarized zone
                                        
The past few days I've been reconfiguring my firewall/proxy server here at
home and I must certainly say that it's not quite as easy as I thought it
was; and that supporting FTP (File Transport Protocol) is singularly
annoying. 

Prior to my mucking about I had allowed all TCP (Transmission Control
Protocol) connections through, and then excluded the ones I didn't want,
which meant that my rules (and I'm using ipfwadm here) looked like: 


ipfwadm -I -a reject -P tcp -W eth1 -D $IP 1:19
ipfwadm -I -a reject -P tcp -W eth1 -D $IP 23:24
ipfwadm -I -a reject -P tcp -W eth1 -D $IP 26:79


And so on. Made it hard to see what ports I did support (and I stopped at
1022 because it seems that Linux 2.0 starts handing out ports at 1023 even
though it's supposed to start at 1024 but that's anothe story) and I had to
make sure I blocked services on high ports like Squid [1] and I wanted to
block ports that stuff like Back Oriface [2] use (not that I'm really worried
it'll attack me, but it's always nice to see attempts). 

So I started mucking around. 

And I'm still fine tuning everything. As Rob [3] pointed out, I'm turning
into a paranoid sysadmin. 

Sigh. 

But it is easier to see what I'm letting through. 

[1] http://www.squid-cache.org/
[2] http://www.bo2k.com/
[3] http://www.tragic-smurfs.com/

Email author at sean@conman.org

.