On Sun, 22 Jul 2012, lina wrote: > strangely my netstat showed my 139 and 445 ports are open. > > tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN > > Do I need specify > > -A INPUT -p tcp --dport 139 -j REJECT > > in iptables?
It is good practice to not let ports 135, 137, 138, 139 and 445 get through the interface to *EXTERNAL* networks/Internet. They're used for services that ought to stay restricted to your internal network and VPNs. And they're required only if you use Windows-style network shares in your internal network. The same goes to port 631 (CUPS/IPP printing) and a few other ports that are used by services that nobody in an external network has any business messing with in the general case. If you don't need Windows-style networking at all, it is best to disable/remove/purge package "samba", which provices these services. This ought to close the 445 and 139 ports. > BTW, why need allow ping? from outside? It is useful for diagnostics initiated from the outside, and that's it. If you don't need it (i.e. you never ping your box from an outside network), you can safely drop incoming ICMP ECHO REQUESTS in the external interface (that type 8 in the iptable rule means ECHO REQUEST). Do not mess with the other ICMP types unless you know what you're doing, some of them must not be dropped at all, while some others are required only in specific network topologies. The kernel already does a very good job at ignoring rogue ICMPs by default. http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120722134949.gb6...@khazad-dum.debian.net
