This is actually a Windows firewall problem, but I am asking it here because with Windows, one simply clicks a button. Under Linux, one knows and understand why we click the button.
I have a router connected by Ethernet to my Linux box (Mandriva Spring) and by wireless to my wife's laptop running Windows XP. Both XP's own firewall and the installed CA Security suite claim that for maximum security, the Windows box must be totally isolated from the network, because it has access to the Internet. This means that it can't be part of Samba, or it may infect my Linux box (don't laugh), so it can't use my printer (which is the only reason I installed Samba.)
I decided that this setting was too extreme and idiotic, so I dropped the security level there sufficiently to allow networking and SMB. Her box still can't send emails, and her firewall is blocking them. Apparently it is still in the "cotton-wool" zone - there, but deprived of all usefulness. What I probably need to do (but I haven't yet) is to move emails or OE into the same intermediate zone. And I have been cursing Windows for something that wasn't their fault.
I know that everything in life is compromise. What is a reasonable way of tackling this?
BTW, CA has an anti-zombie setting. If it detects that mass emails are going out, it blocks them, but that isn't what is stopping my wife's one email a month. OE says it can find the SMTP server, but can't connect to it. Totally disabling the firewall allows the connection.
Doug - he who must obey. -- Programming is like sex: One mistake and you have to support it for your lifetime. -- Pinched from another's sig. Only a programmer could empathise.
Les réponses au message de Doug Laidlaw (laidlaws@doughost.invalid)
> This is actually a Windows firewall problem, but I am asking it here > because > with Windows, one simply clicks a button. Under Linux, one knows and > understand why we click the button. > I have a router connected by Ethernet to my Linux box (Mandriva Spring) > and > by wireless to my wife's laptop running Windows XP. Both XP's own > firewall and the installed CA Security suite claim that for maximum > security, the Windows box must be totally isolated from the network, > because it has > access to the Internet. This means that it can't be part of Samba, or it > may infect my Linux box (don't laugh), so it can't use my printer (which > is the only reason I installed Samba.) > I decided that this setting was too extreme and idiotic, so I dropped the > security level there sufficiently to allow networking and SMB. Her box > still can't send emails, and her firewall is blocking them. Apparently it > is still in the "cotton-wool" zone - there, but deprived of all > usefulness. What I probably need to do (but I haven't yet) is to move > emails or OE into > the same intermediate zone. And I have been cursing Windows for something > that wasn't their fault. > I know that everything in life is compromise. What is a reasonable way of > tackling this? > BTW, CA has an anti-zombie setting. If it detects that mass emails are > going out, it blocks them, but that isn't what is stopping my wife's one > email a month. OE says it can find the SMTP server, but can't connect to > it. Totally disabling the firewall allows the connection. > Doug - he who must obey.
I cured the problem by creating a special rule enabling SMTP. At least the graphical wizard saved me the intricacies of whatever takes the place of iptables. But my basic gripe remains: what is the use of a network if the computer is firewalled off from it? Why have email capability then stop it from working? Only lawyers do anything so ridiculous. I was one - and hated it for that very reason.
Doug - living inside a social firewall, a retirement village, "God's waiting room." -- Husbands are like the fire on the hearth - likely to go out if left unattended. - W.G.P.
> I cured the problem by creating a special rule enabling SMTP. At least the > graphical wizard saved me the intricacies of whatever takes the place of > iptables. But my basic gripe remains: what is the use of a network if the > computer is firewalled off from it? Why have email capability then stop it > from working? Only lawyers do anything so ridiculous. I was one - and > hated it for that very reason. > Doug - living inside a social firewall, a retirement village, "God's waiting > room."
Many, if not most, Linux systems to nightly cron jobs to rotate logs, check for updates, scan for weird messages in the system logs, etc., etc. These are normally emailed to the cron job owner, who is normally "root". The SMTP server is used on these systems to deliver the log messages somewhere useful: the normal restrictive firewall does allow that server to transfer the email *out* to a remote target, while refusing all non-local email. On such a system, you may as well block port 25 incoming, because nothing should be sending to that system from elsehwere until you're bothered to turn it on.
"Doug Laidlaw" wrote in message news:kcugl4-nna.ln1@dougshost.douglaidlaw.net... > Doug Laidlaw wrote: >> This is actually a Windows firewall problem, but I am asking it here >> because >> with Windows, one simply clicks a button. Under Linux, one knows and >> understand why we click the button. >>> I have a router connected by Ethernet to my Linux box (Mandriva Spring) >> and >> by wireless to my wife's laptop running Windows XP. Both XP's own >> firewall and the installed CA Security suite claim that for maximum >> security, the Windows box must be totally isolated from the network, >> because it has >> access to the Internet. This means that it can't be part of Samba, or it >> may infect my Linux box (don't laugh), so it can't use my printer (which >> is the only reason I installed Samba.) >>> I decided that this setting was too extreme and idiotic, so I dropped the >> security level there sufficiently to allow networking and SMB. Her box >> still can't send emails, and her firewall is blocking them. Apparently >> it >> is still in the "cotton-wool" zone - there, but deprived of all >> usefulness. What I probably need to do (but I haven't yet) is to move >> emails or OE into >> the same intermediate zone. And I have been cursing Windows for >> something >> that wasn't their fault. >>> I know that everything in life is compromise. What is a reasonable way >> of >> tackling this? >>> BTW, CA has an anti-zombie setting. If it detects that mass emails are >> going out, it blocks them, but that isn't what is stopping my wife's one >> email a month. OE says it can find the SMTP server, but can't connect to >> it. Totally disabling the firewall allows the connection. >>> Doug - he who must obey. > I cured the problem by creating a special rule enabling SMTP. At least > the > graphical wizard saved me the intricacies of whatever takes the place of > iptables. But my basic gripe remains: what is the use of a network if the > computer is firewalled off from it? Why have email capability then stop > it > from working? Only lawyers do anything so ridiculous. I was one - and > hated it for that very reason. > Doug - living inside a social firewall, a retirement village, "God's > waiting > room." > --
Perhaps I have misunderstood some of the security issues in networking, but as I understand it, you want a firewall to protect windoze from hostile outside forces. Therefore you place the firewall at the line between trusted and hostile areas. To me, that is at the router or internet gateway. I use a hardware firewall/router/gateway for that.
I see no value in protecting windoze from other windoze or linux machines in the local network. Inside my lan, all the windoze machines have the firewall turned off. All can send and receive e-mail through smtp and pop3, and all can access shares and printers. For convenience, I have the printers attached to the linux file server.
Windows firewall and the new windows live one care (or whatever it is called) really mess up connecting to the file server and printers. My son and daughter each have laptops which have the firewall on by default. This is appropriate for 'travelling' machines. They turn the firewall off when they connect here.
Stuart
> Husbands are like the fire on the hearth - likely to go out if left > unattended. > - W.G.P. >
> Perhaps I have misunderstood some of the security issues in networking, but > as I understand it, you want a firewall to protect windoze from hostile > outside forces. Therefore you place the firewall at the line between trusted > and hostile areas. To me, that is at the router or internet gateway. I use a > hardware firewall/router/gateway for that.
This approach to security is known as "hard crunchy outer shell, soft chewy underbelly". It's relatively easy, but once an attacker is inside, you are prey to whatever they can scan and infest your machines with. Firewalling individual hosts, especially potentially vulnerable services such as SMTP, can protect such attacks from infesting your entire network and spreading back out to attack others, or leaving root kits in place for attackers.
Please examine the history of the Morris Worm, circa 1988, for what can happen to unsecured UNIX systems. The lessons learned then still apply to internal networks.
> I see no value in protecting windoze from other windoze or linux machines in > the local network. Inside my lan, all the windoze machines have the firewall > turned off. All can send and receive e-mail through smtp and pop3, and all > can access shares and printers. For convenience, I have the printers > attached to the linux file server.
Then your Windoze boxes are vulnerable to whatever root kit a script kiddie can install through a hacked website when you reach out, or anything they succeed in reprogramming your router to allow, or any unsecured laptop that shows up on your network.
> Windows firewall and the new windows live one care (or whatever it is > called) really mess up connecting to the file server and printers. My son > and daughter each have laptops which have the firewall on by default. This > is appropriate for 'travelling' machines. They turn the firewall off when > they connect here.
And I hope all your machines are running good anti-virus and software updates, because those laptops can be a Typhoid Mary in your home network, with the wrong viruses or rootkits in place. This applies to all operating systems, including Linux. Traveling laptops are a serious attack vector.
Vulnerabilite.com ne peut être tenu responsable des propos tenus dans le Newsgroup comp.os.linux.security
Message de Doug Laidlaw (laidlaws@doughost.invalid) (30 Juin 2007)
Les lecteurs de ce livre lui attribuent une note moyenne de 4/5.<
/font>