Re: Firewall against Windows XP?
From: Mark Atherton (n_z_w_nguregba_at_lnubb.pb.hx)
Date: 07/01/03
- Next message: Ida: "Re: IPTables ?"
- Previous message: Carlos Moreno: "Firewall against Windows XP?"
- In reply to: Carlos Moreno: "Firewall against Windows XP?"
- Next in thread: Steven J. Hathaway: "Re: Firewall against Windows XP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 01 Jul 2003 22:37:26 +0100
Carlos Moreno wrote:
>
> Hi there,
>
> I have a home LAN protected by a Linux box that acts as a
> Gateway/router/firewall (currently setup with iptables,
> "stealth" mode).
>
> I currently use Linux and Windows 2000 on my internal
> machines, but I may be "forced" to switch to Windows XP
> (professional, I guess) in the near future (you know,
> the usual story )8-[ )
>
> Anyway, I'm always be terrified of using Windows XP,
> which I regard as the worst threat to the privacy and
> security of my machines, my privacy, information, etc.
>
> I was wondering if you guys have experience with this
> setup (I'm talking about a Linux-based gateway/firewall
> to protect a network that has computers with WinXP among
> others). Any specific ports that I need to block to
> prevent Windows XP from doing its funny thing??
>
> I'm even terrified to simply put a strong firewall for
> the incoming stuff -- it terrifies me that Windows XP
> might willingly share my information without my knowing
> it. I wonder if there is a list of ports that I should
> block on both directions? (something that would not
> affect regular usage of the web, e-mail, ftp downloads,
> SSH, etc.). I might even be willing to unconditionally
> block traffic to or from www.microsoft.com, www.hotmail.com,
> MSN, etc. (if that does makes any sense -- you know, being
> paranoid as I am, and so profoundly uninterested in stuff
> from Microsoft, I think it could make sense).
>
> (yes, I know, I know I seem to be sending mixed signals...
> So uninterested in Microsoft stuff, but currently using
> Win2K and thinking of switching to WinXP... *sigh*, this
> world is so depressing, I know :-))
>
> Thanks for any advice or pointers!
>
> Carlos
> --
>
I block everything in both directions and run daemons on the gateway
machine for any services I want workstations to have access to.
That means squid acting as http/https/ftp proxy and also running dns,
ntp and nntp servers. I also run a mail server (postfix, imap,
fetchmail) so there is no need for any direct connections to pass
through the firewall either in or out.
Off course spyware can still communicate with home using http, but at
least there will be a trace in the squid logs.
Now, one thing I haven't managed to do is configure squid to refuse
access on IP address if a reverse dns lookup fails. My logic is that at
least if the IP address is linked to a domain name I have a chance of
finding out who is receiving outgoing connections from spyware within my
LAN. Is this worthwhile? If so, can it be done?
Mark Atherton
- Next message: Ida: "Re: IPTables ?"
- Previous message: Carlos Moreno: "Firewall against Windows XP?"
- In reply to: Carlos Moreno: "Firewall against Windows XP?"
- Next in thread: Steven J. Hathaway: "Re: Firewall against Windows XP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
