From owner-freebsd-security Mon Dec 9 11:17:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B00B537B401 for ; Mon, 9 Dec 2002 11:17:19 -0800 (PST) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20DCD43E4A for ; Mon, 9 Dec 2002 11:17:19 -0800 (PST) (envelope-from timothy@voidnet.com) Received: from repose (12-210-146-224.client.attbi.com[12.210.146.224]) by sccrmhc02.attbi.com (sccrmhc02) with SMTP id <2002120919171800200dj9e8e>; Mon, 9 Dec 2002 19:17:18 +0000 Content-Type: text/plain; charset="us-ascii" From: Eric Timme To: freebsd-security@freebsd.org Subject: gateway security? Date: Mon, 9 Dec 2002 13:17:15 -0600 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200212091317.15077.timothy@voidnet.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi everyone, I was wondering if someone could point me in the direction o= f=20 some discussions of general security in a LAN environment with a FreeBSD=20 machine doing NAT/firewalling? I haven't had a ton of luck browsing the=20 archives and finding any discussions. I've read over the general primer,= but=20 would like to read about some actual deployment of security when your=20 headless gateway sits in a dark closet, accumulating dust. Currently I have a pretty restrictive set of firewall rules in place, all= owing=20 only http and ssh traffic from the outside, and I require DES public/priv= ate=20 keys for ssh access. There is a single user account on the gateway, and = root=20 logins are disallowed from all but console. The gateway is doing a singl= e=20 NFS export of my public_html directory for easy access from an internal=20 FreeBSD gateway. As for current security, it is a little lacking, but I am planning to wip= e and=20 reinstall now that winter break affords me some freedom from schoolwork. = I=20 have the following settings in my partitioning scheme (ad0 is 1.5 gig, an= d=20 with this partitioning scheme I just barely fit, and use ad1 for addition= al=20 space), and use secure level 2 for daily operations. /dev/ad0s1a / rw,nosuid =20 /dev/ad0s1e /tmp rw,noexec,nosuid =20 /dev/ad0s1g /usr ro =20 /dev/ad1s1e /usr/obj ro /dev/ad0s1d /usr/home rw,noexec,nosuid =20 /dev/ad1s2e /usr/home/timothy/public_html rw,nosuid /dev/ad0s1h /usr/local ro,nosuid =20 /dev/ad0s1f /var rw,noexec,nosuid =20 I've been using snort with a remote acid installation with alright succes= s,=20 but it has never quite worked right, and am considering junking it, simpl= y=20 because I don't see a lot of other people using it, and it has only been = of=20 marginal success, spending more time picking up proxy scans from IRC and=20 false positives than anything else. I'm planning to deploy aide with a write protected diskette, but would li= ke=20 some advice as to other products to look into; I don't access the machine= =20 regularly, aside from the NFS mount of my public_html directory, so would= =20 like to find something that could email me status updates daily, or bi-da= ily,=20 ala the daily messages, which I currently forward to myself, to help reas= sure=20 me nobody is poking around in it. Thanks for any pointers you can give me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message