Re: adsl, firewalls, etc.

[chuck <chuck@gelm.net>]

Andrew wrote:

> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself 
> an adsl connection. I am probably going to make a few relatively minor 
> changes to my home lan because of this, but before going any further 
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to 
> take the router option. It's a Draytek Vigor 2500. The defect 
> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http) 
> open, the rest are stealthed (according to Shields Up). Am I right in 
> thinking this is not such a good idea? I haven't yet had any success 
> in trying to add rules to close these ports, and my isp 'cordially' 
> informs me that this is up to me to sort out, so for the time being I 
> am simply disconnecting when not in use (about 16 hours a day). Am I 
> being over-paranoid?
>
> TIA
> Andrew

Hi, Andrew:

"The free modem my isp provided has no support under Linux so I had to 
take the router option."

 I disagree.

 I have had two aDSL acounts; Earthlink and the local telephone company 
Ameritech (now SBC/Yahoo).
Each setup came with a DSL modem and an ethernet card at no charge other 
than a one year commitment.
Both accounts came with Windows(r) software and not Linux software.
Both modems worked flawlessly with Linux.  I used RoaringPenguin (PPPOE).
I don't know what protocol your ISP (Spain?) uses, but there may already 
be a Linux application for it.
There may be no need for explicit Linux support from the ISP as current 
Linux distributions may already contain
the needed application(s).  Sorry that this information is not your 
current solution, but I wanted to post
this response so that others may opt to accept the standard modem.

 Your answer, now, lies in the configuration of the router.  Unless you 
are offering a service to other internet hosts
or want to enable remote access to your router, you do not need any open 
ports
on the WAN side of your router.

 One is not paranoid is everyone else is really out to get one.
However, paranoia is not a solution.
IMHO, disconnecting two thirds of the time is a silly solution.
OBTW, are you disconnecting the modem from the telephone line or 
disconnecting your computer from the modem?

Suggestion:
Disable remote access to the router via WAN (and wireless, if applicable).
Else; Change the router's internal web server to a different port;
         e.g. between 2000 - 65535 and not 8080.

HTH, Chuck


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs