more stupid network questions

Mon May 17 12:01:18 PDT 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 12 Apr 2004 07:40:41 -0700
Tony Alfrey <tonyalfrey at earthlink.net> wrote:

> On Monday 12 April 2004 03:52 am, David A. Bandel wrote:
> > On Sun, 11 Apr 2004 20:36:48 -0700
> >
> > Tony Alfrey <tonyalfrey at earthlink.net> wrote:
> > > Hi list:
> > >
> > > Please bear with me because I'm gonna have a pile of really DUMB
> > > network questions now that I have this warp speed connection.  You
> > > are all gonna be ROTFLYAO.
> > >
> > > Is there a way to turn the f*$(%& network card off other than
> > > unplugging the RJ-45 cable?  So that I'm not hooked up to the
> > > entire world when I don't want to be, at least until I learn about
> > > this stuff.
> >
> > Better, good firewall rules:
> >
> > assuming eth0 is your connection to the world:
> >
> > iptables -A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j
> > ACCEPT iptables -A INPUT -m state -i eth0 --state NEW,INVALID -j
> > DROP iptables -A INPUT -m state -i ! eth0 --state
> > NEW,RELATED,ESTABLISHED-j ACCEPT
> > (line wrap at no extra charge -- do not wrap them on your system,
> > those are 3 lines above, not 4)
> >
> > If you're using your system for forwarding to your wife's machine,
> > add two like the first two but to the FORWARDING table.
> >
> > The above will allow you to go out, but no one to come in.
> >
> > Ciao,
> >
> > David A. Bandel
> 
> Oh, THIS I'll have to study.  I have no idea what this all means.
> Let me tell you what we have in place so that you can tell me what is 
> relevant.

study away.  What I did was to give you three stateful firewall rules
that should prevent anyone from connecting on eth0 (change to whatever
interface you use as your default gateway).  I don't like the way the
lines got changed, though.  Each line starts with 'iptables' and ends
with either ACCEPT or DROP.

> 1.  My GoogleGeek tenant has a Mac and we all have cable and the cable
> 
> modem is in his apt.
> 2.  He has an Apple AirportExtreme base station connected to the cable
> 
> modem.  It has a 'firewall' inside and he, in essence, is the 
> administrator.  He has set up WEP, passwords, dchp, etc on the base 
> station with his Mac.  I wish Apple would make a linux driver.

This is all well and good, but I trust no one else to set up my
firewall.

> 3.  We have another Apple AirportExtreme in our house, set up as a 
> bridge.  I connect to the bridge with the LAN port; my wife connects 
> with 801.22b
> 4.  eth0 is a device on my box, but it is a 'node' (I think) on the 
> network, and I do not control the network, only my box.  Although I do
> 
> have the password for the base station and could, in principle,
> command the base station if I knew what to say to it.

What is your IP address (on your system?)?  Public or private (i.e.,
10.x.x.x, 172.16-31.x.x, 192.168.x.x)?

> 
> It sounds like your recommendations apply to the base station, not to 
> me???

Nope, wrong answer.  This applies to any system _you_ want to control
who connects to.  Meaning folks on the Internet or even your GoogleGeek
(whatever that is) friend.

Ciao,

David A. Bandel
- -- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAerlsj31PLQNUbV4RAs8DAJsHanAUN6A9lZ2oXmyzxBvqFdnwJACgrPad
7gkAu2gg4xu8whDaX1DLEPI=
=eEfh
-----END PGP SIGNATURE-----