(E-Mail Removed) (John) wrote in message news:<(E-Mail Removed). com>...
> Please offer comments, suggestions, criticism(constructive please) on
> the following plan:
>
> I would like to filter my small home network (keep the crap from
> appearing in front of the kids.) I recently succumbed to
> zestyfind/look2me after my wife failed to read all the boxes that were
> popping up. (Yes, I know I should have had the settings on ie
> tightened down and I shouldn't have windoze in the first place....but
> that's what I need for a lot of what I do.)
>
> Cable====Cable Modem=====Linux Firewall====Speedstream Router/Firewall
> | | |
> | | |
> | | |
> | | |
> Box1 Box2 Box3
>
> I understand there is some redundancy, but the speedstream also is a
> print server(I imagine the linux box could do that also...but I'm not
> ready for that yet.)
>
> I plan on Dan's Guardian....what else should I be doing?
>
> Links and general info are appreciated.
>
> John
Been a while since I've looked over Dan's Guardian -- IIRC, fetching
updates is the biggest hassle. Check that it works as expected/wanted
before assuming it's doing what you want.
The Windows boxes should _each_ have some kind of personal firewall --
I've always used the free Zone Alarm, but some folks _hate_ it.
Choose your poison ;-)
The Speedstream router has probably been MASQing or NATing your other
machines -- you will need to let the Linux box provide that now
probably. Not familiar with the Speedstream so check whether it was
also providing any DHCP services for the lan machines -- ie.,
automatically assigning IPs, DNS, and GW routes. Decide if it
can/should still do that behind the Linux box.
I wouldn't disable the Speedstream FW till I knew it was causing a
problem or not needed. You may need/want to disable it when testing
your network configuration till you get things going.
The Linux box should block all connection (SYN) requests from the
outside world -- if you're not hosting any public services, like a web
server. Do _not_ enable/allow any file/printer sharing to leak out
onto the internet.
The biggest problem is cutting down on the number of "background" net
traffic (services) that XP generates -- especially Universal
Plug-n-Play. There are many others, however. Have a look here for a
maintained list of such services and which ones you may want to
disable:
http://www.blackviper.com/WinXP/servicecfg.htm
Get the latest fix for Windows' security problems -- the same one that
allows sasser to do its thing. This is an ugly hole that's been
suspected for years -- now it's out in the wild!
https://www.microsoft.com/security/incident/sasser.asp
http://www.microsoft.com/downloads/d...displaylang=en
Good iptables (linux FW) info and scripts:
http://www.linuxguruz.com/iptables/
Don't use a script till you understand it -- some are pretty (overly,
IMO) complicated.
Those are the main things that come to mind offhand. Others will
doubtless offer additional suggestions -- digest slowly. The main
thing is to understand what is/should be occurring on your network
rather than cluelessly abiding by the advice of others -- me included
;-)
hth,
prg
email above disabled
Similar Threads
Linear Mode
