From owner-freebsd-security Tue Jul 16 15:46:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34B7D37B400 for ; Tue, 16 Jul 2002 15:46:35 -0700 (PDT) Received: from fep2.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACF0D43E65 for ; Tue, 16 Jul 2002 15:46:34 -0700 (PDT) (envelope-from markd@cogeco.ca) Received: from promethium (d141-146-131.home.cgocable.net [24.141.146.131]) by fep2.cogeco.net (Postfix) with ESMTP id 603F0EDC for ; Tue, 16 Jul 2002 18:46:33 -0400 (EDT) Reply-To: From: "Mark D" To: Subject: ipfw and it's glory... Date: Tue, 16 Jul 2002 18:46:38 -0400 Message-ID: <000101c22d1a$a54d6e70$6401a8c0@promethium> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, First, I hope this is appropriate for this list, if not I'll gladly repost. I thought this could be a freebsd-questions question, but hey, I took a chance. Alright, here we go... I plan to run http, ftp, ssh, smtp, and pop on a lan box (I'm going to treat it as a real box - just so I can be ready for when I do this in the future). I'd like http, ftp, pop, and smtp to be open to anyone and for ssh connections to be only allowed when I add the rule (to allow that specific host). I've read the man pages on ipfw and some other documents but am still confused. Here is what I've put together so far (go easy on me); allow ip from trusted-ip-addy-1 to any allow ip from trusted-ip-addy-2 to any allow log tcp from any to any established allow log tcp from trusted-ip-addy-1 to any 22 in setup allow log udp from internal-addy to any 53 allow log udp from any 53 to internal-addy allow log tcp from any to internal-addy 80,21,110,15 setup - 65535 deny ip from any to any So... I'm not sure if that is the best approach (maybe adding a 'check state' here and a 'established' there ;p), but I'm hoping the subscribers of this list could give me some insight on securing it properly and only allowing in/out what I've specified above. I thank you in advance. - Mark D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message