Date: Fri, 26 Oct 2001 09:58:00 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Eric Lam" <elam101083@earthlink.net>, <freebsd-questions@FreeBSD.ORG> Subject: RE: IPFW Rules Help Message-ID: <NDBBIMKICMDGDMNOOCAIEEEHDMAA.patrick@mip.co.za> In-Reply-To: <IAEKKLIOEBMAKJIIGEBBCEKBCEAA.elam101083@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Eric. (Someone please shoot me if the following advice is totally ludicrous!!!) Eric, if this server is not actually a firewall, but an FTP/HTTP/SMB/SSH server, then I would personally not worry about ipfw, but be sure to configure each of those services correctly, and make sure that the box DOES NOT RESPOND to anything else. I would make sure that portmap is NOT running. I would start daemons to offer the various services (FTP, SSH, etc) on their respective ports, and I would make sure that inetd is NOT running. If you want inetd to fire up your FTP, then look at /etc/inetd.conf and make sure that there are NO OTHER SERVICES enabled, except for those you deliberately wish to offer. Anyway, wait and see what other responses you get to this message of mine before you follow this advice! :) PS: I have just been looking at check-state with FTP. See this discussion in the archive over the last couple of days: "ipfw rules for FTP - passive vs. active". The two do not really go together :( Patrick. > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Eric Lam > Sent: 26 October 2001 03:19 > To: freebsd-questions@FreeBSD.ORG > Subject: IPFW Rules Help > > > Hello, I am attempting to construct an inclusive firewall, so > that all ports > and protocols (udp, tcp) are blocked by default, except ones specificed, > such as FTP, SSH, SMB, etc... However, I am not using natd or trying to > turn this into a router. I am just trying to secure the box so that only > specific services and their corresponding ports are open, and everything > else closed. xl0 is my ethernet card. the 207/206 ip's are my > dns servers. > Someone told me to do that checkstate stuff for ftp; I have no idea what > that is for, please advise on that. I am wondering did I do my rules > correctly. Thanks for your help. > > /sbin/ipfw add allow ip from any to any via lo0 > /sbin/ipfw add allow ip from any to any via xl0 > /sbin/ipfw add allow tcp from any to any 20 out xmit setup > /sbin/ipfw add allow tcp from any to any 21 out xmit setup > /sbin/ipfw add allow tcp from any to any 22 out xmit setup > /sbin/ipfw add allow tcp from any to any 23 out xmit setup > /sbin/ipfw add allow tcp from any to any 25 out xmit setup > /sbin/ipfw add allow tcp from any to 207.151.38.154 53 out xmit setup > /sbin/ipfw add allow tcp from any to 207.151.38.133 53 out xmit setup > /sbin/ipfw add allow tcp from any to 206.117.120.66 53 out xmit setup > /sbin/ipfw add allow tcp from any to any 80 out xmit setup > /sbin/ipfw add allow tcp from any to any 110 out xmit setup > /sbin/ipfw add allow tcp from any to any 139 out xmit setup > /sbin/ipfw add allow tcp from any to any 3128 out xmit setup > /sbin/ipfw add allow tcp from any to any via xl0 estab > /sbin/ipfw add allow udp from any to any 137 out xmit > /sbin/ipfw add check-state > /sbin/ipfw add allow tcp from any to any keep-state > /sbin/ipfw deny udp from any to any > /sbin/ipfw add 65435 deny ip from any to any > /sbin/ipfw add 65434 allow icmp from any to any > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIEEEHDMAA.patrick>