KPF 2.1.5: Catch-all rule complicates having firewall ask about incomingssh

KPF 2.1.5: Catch-all rule complicates having firewall ask about incomingssh

am 15.07.2007 15:01:30 von Dubious Dude

I would like KPF to ask whether to allow incoming TDP connections to port 22.
Creating a rule only lets the user choose whether to permit or deny the
connection, not whether to prompt for permission or denial. I thought that I
could delete the rule altogether, in which case the user is prompted to permit
or deny the incoming ssh. However, the last rule of the firewall is a catch-all
rule that denies any connections not covered by any other rules. This prevents
KPF from prompting for incoming TDP connections to port 22. Is there a way to
have KPF prompt for incoming connections to port 22, yet still maintain the
catch-all rule?

Thanks.

Re: KPF 2.1.5: Catch-all rule complicates having firewall ask about incoming ssh

am 16.07.2007 16:51:13 von Systemguy

"Dubious Dude" wrote in message
news:f7d63p$sb6$1@aioe.org...
>I would like KPF to ask whether to allow incoming TDP connections to port
>22.
> Creating a rule only lets the user choose whether to permit or deny the
> connection, not whether to prompt for permission or denial. I thought
> that I
> could delete the rule altogether, in which case the user is prompted to
> permit
> or deny the incoming ssh. However, the last rule of the firewall is a
> catch-all
> rule that denies any connections not covered by any other rules. This
> prevents
> KPF from prompting for incoming TDP connections to port 22. Is there a
> way to
> have KPF prompt for incoming connections to port 22, yet still maintain
> the
> catch-all rule?
>
> Thanks.

The short answer is no.

The catch-all is meant to be put into place after you have tuned the
firewall for
all the inbound connection you plan on accepting. That way it will not keep
prompting you when new ports are attempted but simply deny them.

If you actually want someone to be able to connect to your port 22 it makes
more sense to simply allow it in your rules. You could even restrict the IP
addresses allowed to connect. Finally, ensure your ssh application is fully
patched and hardened so only authorized parties can get through.


Cheers,

Systemguy

Re: KPF 2.1.5: Catch-all rule complicates having firewall ask aboutincoming ssh

am 17.07.2007 06:43:41 von Dubious Dude

Systemguy wrote:
> "Dubious Dude" wrote in message
> news:f7d63p$sb6$1@aioe.org...
>> I would like KPF to ask whether to allow incoming TDP connections to port
>> 22.
>> Creating a rule only lets the user choose whether to permit or deny the
>> connection, not whether to prompt for permission or denial. I thought
>> that I
>> could delete the rule altogether, in which case the user is prompted to
>> permit
>> or deny the incoming ssh. However, the last rule of the firewall is a
>> catch-all
>> rule that denies any connections not covered by any other rules. This
>> prevents
>> KPF from prompting for incoming TDP connections to port 22. Is there a
>> way to
>> have KPF prompt for incoming connections to port 22, yet still maintain
>> the
>> catch-all rule?
>>
>> Thanks.
>
> The short answer is no.
>
> The catch-all is meant to be put into place after you have tuned the
> firewall for
> all the inbound connection you plan on accepting. That way it will not keep
> prompting you when new ports are attempted but simply deny them.
>
> If you actually want someone to be able to connect to your port 22 it makes
> more sense to simply allow it in your rules. You could even restrict the IP
> addresses allowed to connect. Finally, ensure your ssh application is fully
> patched and hardened so only authorized parties can get through.


Thank you, Systemguy. I did in fact end up creating a rule for port 22 that
allows connections from a certain address range. Hardening is something I have
to read up on.