Firewall against Windows XP?

Hi there,

I have a home LAN protected by a Linux box that acts as a
Gateway/router/firewall (currently setup with iptables,
"stealth" mode).

I currently use Linux and Windows 2000 on my internal
machines, but I may be "forced" to switch to Windows XP
(professional, I guess) in the near future (you know,
the usual story )8-[ )

Anyway, I'm always be terrified of using Windows XP,
which I regard as the worst threat to the privacy and
security of my machines, my privacy, information, etc.

I was wondering if you guys have experience with this
setup (I'm talking about a Linux-based gateway/firewall
to protect a network that has computers with WinXP among
others). Any specific ports that I need to block to
prevent Windows XP from doing its funny thing??

I'm even terrified to simply put a strong firewall for
the incoming stuff -- it terrifies me that Windows XP
might willingly share my information without my knowing
it. I wonder if there is a list of ports that I should
block on both directions? (something that would not
affect regular usage of the web, e-mail, ftp downloads,
SSH, etc.). I might even be willing to unconditionally
block traffic to or from www.microsoft.com, www.hotmail.com,
MSN, etc. (if that does makes any sense -- you know, being
paranoid as I am, and so profoundly uninterested in stuff
from Microsoft, I think it could make sense).

(yes, I know, I know I seem to be sending mixed signals...
So uninterested in Microsoft stuff, but currently using
Win2K and thinking of switching to WinXP... *sigh*, this
world is so depressing, I know :-))

Thanks for any advice or pointers!

Carlos
--

Carlos Moreno wrote:
>
> Hi there,
>
> I have a home LAN protected by a Linux box that acts as a
> Gateway/router/firewall (currently setup with iptables,
> "stealth" mode).
>
> I currently use Linux and Windows 2000 on my internal
> machines, but I may be "forced" to switch to Windows XP
> (professional, I guess) in the near future (you know,
> the usual story )8-[ )
>
> Anyway, I'm always be terrified of using Windows XP,
> which I regard as the worst threat to the privacy and
> security of my machines, my privacy, information, etc.
>
> I was wondering if you guys have experience with this
> setup (I'm talking about a Linux-based gateway/firewall
> to protect a network that has computers with WinXP among
> others). Any specific ports that I need to block to
> prevent Windows XP from doing its funny thing??
>
> I'm even terrified to simply put a strong firewall for
> the incoming stuff -- it terrifies me that Windows XP
> might willingly share my information without my knowing
> it. I wonder if there is a list of ports that I should
> block on both directions? (something that would not
> affect regular usage of the web, e-mail, ftp downloads,
> SSH, etc.). I might even be willing to unconditionally
> block traffic to or from www.microsoft.com, www.hotmail.com,
> MSN, etc. (if that does makes any sense -- you know, being
> paranoid as I am, and so profoundly uninterested in stuff
> from Microsoft, I think it could make sense).
>
> (yes, I know, I know I seem to be sending mixed signals...
> So uninterested in Microsoft stuff, but currently using
> Win2K and thinking of switching to WinXP... *sigh*, this
> world is so depressing, I know :-))
>
> Thanks for any advice or pointers!
>
> Carlos
> --
>

I block everything in both directions and run daemons on the gateway
machine for any services I want workstations to have access to.

That means squid acting as http/https/ftp proxy and also running dns,
ntp and nntp servers. I also run a mail server (postfix, imap,
fetchmail) so there is no need for any direct connections to pass
through the firewall either in or out.

Off course spyware can still communicate with home using http, but at
least there will be a trace in the squid logs.

Now, one thing I haven't managed to do is configure squid to refuse
access on IP address if a reverse dns lookup fails. My logic is that at
least if the IP address is linked to a domain name I have a chance of
finding out who is receiving outgoing connections from spyware within my
LAN. Is this worthwhile? If so, can it be done?

Mark Atherton

Carlos Moreno wrote:

> Hi there,
>
> I have a home LAN protected by a Linux box that acts as a
> Gateway/router/firewall (currently setup with iptables,
> "stealth" mode).
>
> I currently use Linux and Windows 2000 on my internal
> machines, but I may be "forced" to switch to Windows XP
> (professional, I guess) in the near future (you know,
> the usual story )8-[ )
>
> Anyway, I'm always be terrified of using Windows XP,
> which I regard as the worst threat to the privacy and
> security of my machines, my privacy, information, etc.
>
> I was wondering if you guys have experience with this
> setup (I'm talking about a Linux-based gateway/firewall
> to protect a network that has computers with WinXP among
> others). Any specific ports that I need to block to
> prevent Windows XP from doing its funny thing??
>
> I'm even terrified to simply put a strong firewall for
> the incoming stuff -- it terrifies me that Windows XP
> might willingly share my information without my knowing
> it. I wonder if there is a list of ports that I should
> block on both directions? (something that would not
> affect regular usage of the web, e-mail, ftp downloads,
> SSH, etc.). I might even be willing to unconditionally
> block traffic to or from www.microsoft.com, www.hotmail.com,
> MSN, etc. (if that does makes any sense -- you know, being
> paranoid as I am, and so profoundly uninterested in stuff
> from Microsoft, I think it could make sense).
>
> (yes, I know, I know I seem to be sending mixed signals...
> So uninterested in Microsoft stuff, but currently using
> Win2K and thinking of switching to WinXP... *sigh*, this
> world is so depressing, I know :-))
>
> Thanks for any advice or pointers!
>
> Carlos
> --

Be sure you block any NETBIOS service sessions, and its newer ports.
Also block the various printer server shares (i.e. HP Print Services).

I know of many trivial, but nasty, compromize attacks against these
ports.

Steve Hathaway

"Carlos Moreno" <moreno_at_mochima_dot_com@x.xxx> wrote in message
news:JpkMa.34012$104.408915@weber.videotron.net...
>
{snipped and paraphrased}

> I have linux gateway/router/firewall using iptables and drop. It serves
Linux and W2k. Have to support XP. Issues?

I don't serve a 2k machine, but I do serve a 98SE, ME, and XP box. The
Linux firewall drops all incoming connections like yours, but does nothing
for outgoing. To protect against unauthorized outgoing connections I
installed Kerio and Zone Alarm (Kerio on one, ZA on the other two). These
firewalls check the application making the connect request and will prompt
for permission on first attempt, and will alert you if the program changes.
This is good for verifying, say, your browser hasn't been altered by
malware.

I also have AVG anti-virus running. Some say it doesn't work for them, but
it does for me. And it's free, which is always a good thing.

n1pop wrote:

> I don't serve a 2k machine, but I do serve a 98SE, ME, and XP box. The
> Linux firewall drops all incoming connections like yours, but does nothing
> for outgoing. To protect against unauthorized outgoing connections

Hmmm... But how does one define an "unauthorized" outgoing connection?

If Windows XP does things behind my back, then it [WinXP] would not call
them unauthorized -- *I* would call them unauthorized. How will the
software know what I'm thinking, unless I tell it? But then, that's
what I was attempting by firewalling outgoing connections -- if possible
at all (that is, if I know what ports I have to block, under what
conditions, etc.)

Thanks,

Carlos
--