From owner-freebsd-questions Sat Aug 19 0:42:53 2000 Delivered-To: freebsd-questions@freebsd.org Received: from greg.ad9.com (greg.ad9.com [209.233.225.5]) by hub.freebsd.org (Postfix) with ESMTP id 482AE37B422 for ; Sat, 19 Aug 2000 00:42:50 -0700 (PDT) Received: from greg.ad9.com (nepolon@greg.ad9.com [209.233.225.5]) by greg.ad9.com (8.9.1a/8.9.1) with ESMTP id BAA09719; Sat, 19 Aug 2000 01:02:36 -0700 (PDT) Date: Sat, 19 Aug 2000 01:02:36 -0700 (PDT) From: Steve Lewis X-Sender: nepolon@greg.ad9.com To: "David J. Kanter" Cc: FreeBSD questions Subject: Re: To firewall or not to firewall... In-Reply-To: <20000818205952.A8313@localhost.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 18 Aug 2000, David J. Kanter wrote: > I've read that a firewall isn't really needed for one machine. Some say that > ppp filters are better here. that isn't really the question. You want to filter the traffic that reaches your machine. Use a tool that helps you do that. If you use ipfw (for example) on a single-homed machine (one NIC) connected directly to the internet, you would be using ipfw to protect (and possibly log) services which you do not want to make available to the world but still want to have available, at least locally. Look up the 'client' profile in rc.firewall and in The Handbook and see where it overlaps your situation. > Nonetheless, I have turned off inetd and according to nmap these are the > ports of concern: With inetd completely off you may have a difficult time logging *attempts*. You reduce your vulnerability, this is true, but you also blindfold yourself. Consider removing all services served by inetd and replacing them with folgers crystals (or with logging mechanisms) and see if folks notice... you certainly will. > Port State Service > 25/tcp open smtp > 53/tcp open domain > 111/tcp open sunrpc > 515/tcp open printer > 6000/tcp open X11 > 7101/tcp open unknown > One question that arises is when to block "in" and/or "out" connections. > It's a matter of not knowing where the "in" is coming from and where the > "out" is coming from and going to. If you are using the service yourself, the connection attempt comes from 127.0.0.1 aka lo0 aka the loopback. Usualy the first rule I see in ipfw firewalls is to allow any traffic from 127.0.0.1. There, now you know that anything else comes from outside. If connections to port 6000 are not coming from lo0 you want to block them. Place a deny rule for port 6000 after an allow rule for lo0. Thus you have a place to start building your rules. ############ using ipfw in these examples $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 # Don't allow connections to X11 from outside lo0 $fwcmd add 300 deny log all from any to any 6000 See, this is easy! > For instance, I should let "in" connections to port 25, right, but refuse > "in" connections to port 6000? If I refuse "out" connections to port 6000 > will I then block use of X on my machine? Um, you probably don't want to allow connections to port 25. That is only necessary if you are running a mail server, and considering you are getting a dynamic IP, I doubt you are. You probably have sendmail enabled on port 25. It is being started with the following flags by default. # sendmail_flags="-bd -q30m" # -bd is pretty mandatory. remove the '-bd' and you have taken care of the port 25 issue. While you are at it, you probably don't need rpc. Disable that as well. You probably see a trend here. Do you need to have lpd running? Does it need to be network-alert? Are you running a DNS server? Do you really need to? Can you make it no listen on port 53? Only protect those services you really want (like X11) or need. This makes your packet filter simpler and you life easier. > Perhaps I'm confused with where the firewall "sits." How correct is this > schematic: > > 127.0.0.1 <---> firewall <---> NIC <---> Gateway <---> Internet I can't really advise because your schematic doesn't make sense to me. I don't understand where you think the boundaries are of each machine... You said already there is only one computer. try this: Host <---> Internet -Host is your machine. -Host is a firewall in this case. -If Host had more than one NIC and it was connected to two networks (a LAN and the Internet for example) it could be a gateway and a firewall. -Every machine is 127.0.0.1 in it's own eyes. --Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message