Also, how do I specify port ranges- blocking individual ports is a pain with stupid GUIs, and I know nothing of advanced batch scripting to automate this w/ the command line tool(might not matter, since I'm installing cygwin in the future anyway). And there's no way you can block incoming stuff selectively depending on if it was a response to an outgoing connection like iptables, right?GRC Port Authority Report created on UTC: 2004-01-01 at 22:13:53
Results from scan of ports: 0-1055
0 Ports Open
1048 Ports Closed
8 Ports Stealth
---------------------
1056 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be STEALTH were: 23, 135, 139, 389, 445, 1002,
1025, 1029
Other than what is listed above, all ports are CLOSED.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- Received one or more unsolicited packets,
- NO Ping reply (ICMP Echo) was received.
Windows 2000 IPSEC+ICS help
Moderator: Thanas
Windows 2000 IPSEC+ICS help
How do I enable IPSEC and still allow ICS connections from my Linux box through? I've enabled it and tested it at GRC and got this:
Last edited by Pu-239 on 2004-01-03 05:06pm, edited 1 time in total.
ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer
George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor
-
Faram
- Bastard Operator from Hell
- Posts: 5271
- Joined: 2002-07-04 07:39am
- Location: Fighting Polarbears
First off ignore GRC Steve Gibson is a wako that thinks his so called Stealth ports is somehow safer than a closed port.
I am heading to bead but if noone else answers your question's ill help you tomorrow.
I am heading to bead but if noone else answers your question's ill help you tomorrow.
[img=right]http://hem.bredband.net/b217293/warsaban.gif[/img]
"Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus
Fear is the mother of all gods.
Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
"Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus
Fear is the mother of all gods.
Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
The scanning functionality is still useful, eg. since nmaping localhost/192.168.0.1/<some dynamic IP address) does not work due to having the loopback interface allow everything (might be moot now, since nmap works on W2k too). I thought stealth was better though if all ports were "stealthed" though (but it isn't practical, since some ports above 1023 have to be open for clients right?)Faram wrote:First off ignore GRC Steve Gibson is a wako that thinks his so called Stealth ports is somehow safer than a closed port.
I am heading to bead but if noone else answers your question's ill help you tomorrow.
Can you or someone also check my iptables script
#/bin/bash
# Sets up default route
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
route add default gw up metric 3 &>/dev/null
# Very loosely based on stuff from the iptables tutorial and the IP-Masq HOWTO
# Initial setup
#---------------------------------------------------------------------
# Sets path
#---------------------------------
PATH="/sbin"
export PATH
#---------------------------------
#---------------------------------
# Resets firewall rules
#---------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F
iptables -X
#---------------------------------
#---------------------------------------------------------------------
# Creates chain for dropping and logging packets (ie "stealth")
#---------------------------------------------------------------------
iptables -N DROPLOG
iptables -A DROPLOG -j ULOG
iptables -A DROPLOG -j DROP
#---------------------------------------------------------------------
# Creates chain for rejecting and logging packets
#---------------------------------------------------------------------
iptables -N REJECTLOG
iptables -A REJECTLOG -j ULOG
iptables -A REJECTLOG -j REJECT
#---------------------------------------------------------------------
iptables -N DISPOSE
iptables -A DISPOSE -j REJECTLOG
#22/tcp open ssh
#25/tcp open smtp
#139/tcp open netbios-ssn
#445/tcp open microsoft-ds
#631/tcp open ipp
iptables -N TCPFILTIN
iptables -A TCPFILTIN -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DISPOSE
iptables -A TCPFILTIN -p tcp --dport 1500: -j ACCEPT
iptables -A TCPFILTIN -p tcp --dport 22 -j ACCEPT
iptables -A TCPFILTIN -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A TCPFILTIN -i lo -j ACCEPT
iptables -A TCPFILTIN -p tcp --sport 25 -j DISPOSE
iptables -A TCPFILTIN -p tcp --sport 139 -j DISPOSE
iptables -A TCPFILTIN -p tcp --sport 445 -j DISPOSE
iptables -A TCPFILTIN -p tcp --sport 631 -j DISPOSE
iptables -A TCPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A TCPFILTIN -j DISPOSE
iptables -N UDPFILTIN
iptables -A UDPFILTIN -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A UDPFILTIN -p udp --dport 22 -j ACCEPT
#iptables -A UDPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A UDPFILTIN -p UDP -s 207.172.3.0/24 -j ACCEPT
# Allows access to my ISP's DNS servers
# Allows access to my computers services from upstairs
iptables -A UDPFILTIN -j DISPOSE
iptables -N ICMPFILTIN
#iptables -A ICMPFILTIN -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A ICMPFILTIN -p icmp --icmp-type echo-reply -j ACCEPT
#iptables -A ICMPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A ICMPFILTIN -i eth0 -s 192.168.0.0/24 -j ACCEPT
#iptables -A ICMPFILTIN -i lo -j ACCEPT
#iptables -A ICMPFILTIN -j DISPOSE
iptables -A ICMPFILTIN -j ACCEPT
#accept pings from p2p peers, needs to be tweaked
iptables -A INPUT -p tcp -j TCPFILTIN
iptables -A INPUT -p udp -j UDPFILTIN
iptables -A INPUT -p icmp -j ICMPFILTIN
iptables -A INPUT -j DISPOSE
iptables -A OUTPUT -j ACCEPT
# Allow all outgoing traffic
iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -j DISPOSE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Sets up NAT
exit 0
ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer
George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor
Bump
ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer
George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor