Firewalk for linux works wonders it will bypass NAT and test for ACls and then initiate scans on the private network. Granted even thou you may be scanned internally it only allows the attacker to gain a footprint of your network. Your best bet depending on the network topology is to setup a DMZ or "victim" box in a chroot environment and allow the attacker to attack the "Honeypot". That is If you are running mission critical aps in a enterprise environment. At home I would stick a *nix box between the Modem and the Computer or the Router and the internal computer/switch. Grab smoothwall from http://www.smoothwall.org install it on a P133 + /w 64mb RAM, 2x NICs minimum. Smoothwall has transparent proxy capabilites, nids, and okay packet rules ingress only (incomming (DENY)). I would work on egress (outgoing( DENY all ALLOW only TCP 21,22,80 etc.) filters for the smotthwall. Eips is absolutly right
You are still vulnerable to any attack that uses your web browser or email client.
You can deal with most of the webbased attacks by using the firewall/proxy setup + using mozilla/thunderbird as a web browser/email client. Configure IE with a NULL proxy setting (tools->Internet options->connections->LAN settings->proxy 10.2.2.2) so to some non-existant private net. Then the apps that exploit IE will hit the NULL proxy coupled with egress filters you are mostly secure. Granted MSN wont work and other apps that require IE but that is another evil unto itself. Note: Find alternatives apps for the ones that require IE.
PS: If you want to go even farther to the Nth degree the NULL proxy can be a packet trap so create a proxy that works w/o a gateway but is a NIDs/Sniffer so you can see what netblock the app is trying to contact + data content etc.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum