more stupid network questions

David A. Bandel david
Mon May 17 12:01:19 PDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 12 Apr 2004 09:29:01 -0700
Tony Alfrey <tonyalfrey at earthlink.net> wrote:

> On Monday 12 April 2004 08:44 am, David A. Bandel wrote:
> <snip>
> >
> > study away.  What I did was to give you three stateful firewall
> > rules that should prevent anyone from connecting on eth0 (change to
> > whatever interface you use as your default gateway).  I don't like
> > the way the lines got changed, though.  Each line starts with
> > 'iptables' and ends with either ACCEPT or DROP.
> 
> Yeah, I figured that out.
> Sso I can add this to MY box regardless of what my friend has on his 
> firewall?

Absolutely.  Then no one will be able to connect to you.  There is one
more rule you could use, but it's only useful against scans so I omitted
it.  Personal firewalls are always a good defense, but the commercial
ones like BlackIce, etc., I don't trust.  I trust Firewall-1 (but it's a
bit pricey and designed for high-end connections) and I trust
Netfilter/IPTables.

> 
> >
> > > 1.  My GoogleGeek tenant has a Mac and we all have cable and the
> > > cable
> > >
> > > modem is in his apt.
> > > 2.  He has an Apple AirportExtreme base station connected to the
> > > cable
> > >
> > > modem.  It has a 'firewall' inside and he, in essence, is the
> > > administrator.  He has set up WEP, passwords, dchp, etc on the
> > > base station with his Mac.  I wish Apple would make a linux
> > > driver.
> >
> > This is all well and good, but I trust no one else to set up my
> > firewall.
> 
> I can't agree more; it makes me nervous, too.  But I'm just starting
> so in the near future, this situation will change.  And the guy is
> pretty trustworthy, at least at this level of participation.
> 
> >
> > > 3.  We have another Apple AirportExtreme in our house, set up as a
> > > bridge.  I connect to the bridge with the LAN port; my wife
> > > connects with 801.22b
> > > 4.  eth0 is a device on my box, but it is a 'node' (I think) on
> > > the network, and I do not control the network, only my box. 
> > > Although I do
> > >
> > > have the password for the base station and could, in principle,
> > > command the base station if I knew what to say to it.
> >
> > What is your IP address (on your system?)?  Public or private (i.e.,
> > 10.x.x.x, 172.16-31.x.x, 192.168.x.x)?
> 
> 10.xxx on mine.  dchp assigns addresses to the nodes from the base 
> station (I think that is the way to describe it).

This gives you an added layer of protection since 10.x.x.x addresses are
not routable.

> 
> >
> > > It sounds like your recommendations apply to the base station, not
> > > to me???
> >
> > Nope, wrong answer.  This applies to any system _you_ want to
> > control who connects to.  Meaning folks on the Internet or even your
> > GoogleGeek (whatever that is) friend.
> 
> Good.  So I will read about iptables and do this on my box.
> A GoogleGeek (in my jargon) is someone who works at Google.

Ah.

> 
> Thanks very much for the help.  As always, you're great!

Anytime.  But I think only my lady friends can tell you if the "great"
part is true or not.

Ciao,

David A. Bandel
- -- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAets4j31PLQNUbV4RAp2rAJwNtgwXfSvkEFrO/2iMKY93uen+AwCfRtKv
80ZwlrVk7kqy6NbVFzOmCOI=
=itzX
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list