[Dshield] d-shield, who are they?

Lawrence Engleman lceone at comcast.net
Sat Aug 16 18:06:39 GMT 2003


Jeff Kell wrote:
> Firewalling internal networks can be tricky at best *if* you are really 
> doing Microsoft file sharing, Samba, CIFS, etc.  It hits you where it 
> hurts and you can't necessarily block it (no more than you can block 
> http for IIS or Apache weaknesses, it's self-defeating).

Very true.  But my log files would be a much happier place if all the 
school networks would slap a
iptables -A OUTPUT --dport 25 -j ACCEPT
iptables -A OUTPUT --dport 80 -j ACCEPT
iptables -A OUTPUT --dport 110 -j ACCEPT
..(perhaps a few others)
intables -A OUTPUT -j DROP

on a firewall just before their network connects to the internet.

My reasoning for this?  Internally they'll want file sharing and full 
access to all machines. (*shudder*)  Fine.  Allow them to destroy their 
internal network.  You cant stop them from doing that anyway.

But externally, they will need to check mail, see web pages, and perhaps 
a few other very basic things.  *If* they need to be doing something a 
bit more complicated than that (ssh, etc), then they should be hiring an 
administrator that would not only be able to modify this firewall setup 
intelligently, with per IP or per segment rules, but would be able to 
instruct them on safer computing practices.
Also, since the average highschool student seems to have several years 
of computing experience over the average highschool computer teacher (a 
problem I had in highschool as well) script kiddies are very likely to 
abuse school systems, and need to be somewhat restrained.

-Larry

-- 
                            /   \
                     )     ((   ))     (
  _                 /|\     ))_((     /|\                 _
(@)               / | \   (o\v/o)   / | \               (@)
|_|\-------------------VvV-\ | /-VvV-------------------/|_|
|_|   Lawrence Engleman    (0_0)     "Not doing above   |_|
|_|                                   average is what   |_|
|_|   email: lceone at comcast.net       keeps the average |_|
|_|   web: larry.fullywired.net       down."            |_|
{ }/---------------------------------------------------\{ }
              | | /\ | /    ( (      \ | /\ | |
              |  /  \ /      \ \      \ /  \  |
              | /    v        ) )      v    \ |
               V              \/             V




More information about the list mailing list