From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 16 11:21:51 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AABAB16A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 16 Jun 2004 11:21:51 +0000 (GMT)
Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net
	[66.167.251.6])	by mx1.FreeBSD.org (Postfix) with ESMTP id 85A9243D39
	for <freebsd-questions@freebsd.org>;
	Wed, 16 Jun 2004 11:21:51 +0000 (GMT)
	(envelope-from wmoran@potentialtech.com)
Received: from working.potentialtech.com (pa-plum1c-102.pit.adelphia.net
	[24.53.179.102])
	by internet.potentialtech.com (Postfix) with ESMTP id 60D7269A71;
	Wed, 16 Jun 2004 07:20:33 -0400 (EDT)
Date: Wed, 16 Jun 2004 07:20:32 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: Kevin Curran <kevin@curranfamilynet.net>
Message-Id: <20040616072032.0a5ee617.wmoran@potentialtech.com>
In-Reply-To: <1087261927.5494.11.camel@tower>
References: <1087261927.5494.11.camel@tower>
Organization: Potential Technologies
X-Mailer: Sylpheed version 0.9.10 (GTK+ 1.2.10; i386-portbld-freebsd4.9)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: Are 4 IPFW rules enough?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jun 2004 11:21:51 -0000

Kevin Curran <kevin@curranfamilynet.net> wrote:

> I have a cable modem and I'm using 4.9 as a NAT router for my home
> network.  I have 4 rules in my ipfw config.  The first enables NAT and
> the last is 65000 allow any to any.
> 
> In between I ha 2 rules to deny access to ports 53 and 110 on the
> Internet side.  That's all.  
> 
> Here's my thinking: I use inetd.conf to enable only the services I want,
> therefore the ports on which those services are listening I would want
> open.  The two other ports I want to filter on the WAN side are filtered
> by the rules above.  All the other ports are closed, anyway, so why
> spend time debugging an elaborate rule set?

Check the output of "sockstat -4" to ensure that you don't have anything running
that you aren't aware of ... syslogd is a typical culpret.  You'll probably
have to add syslogd_flags="-ss" to /etc/rc.conf

Otherwise, you're probably good, execpt that there are some spoofing techniques
that may be able to get around such a ruleset.  That's beyond my expertise,
however.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com