From owner-freebsd-questions  Wed Nov 18 08:15:08 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA24713
          for freebsd-questions-outgoing; Wed, 18 Nov 1998 08:15:08 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from pau-amma.whistle.com (s205m64.whistle.com [207.76.205.64])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA24708
          for <freebsd-questions@freebsd.org>; Wed, 18 Nov 1998 08:15:07 -0800 (PST)
          (envelope-from dhw@whistle.com)
Received: (from dhw@localhost)
	by pau-amma.whistle.com (8.9.1/8.9.1) id IAA04718;
	Wed, 18 Nov 1998 08:12:17 -0800 (PST)
	(envelope-from dhw)
Date: Wed, 18 Nov 1998 08:12:17 -0800 (PST)
From: David Wolfskill <dhw@whistle.com>
Message-Id: <199811181612.IAA04718@pau-amma.whistle.com>
To: gandolf@gandolf.ml.org
Subject: Re: Firewalling
Cc: freebsd-questions@FreeBSD.ORG
In-Reply-To: <199811180207.VAA02843@gandolf.ml.org>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>From: "Jeff Hamilton" <gandolf@destiny.erols.com>
>Date: Tue, 17 Nov 1998 21:07:50 -0500 (EST)

>I am trying to setup ipfw to block any unwanted access to nfs, mount, 
>rpc, samba, pop and dns ports.

>I am currently firewalling 53,110,111,137,138,139, and 2049 with both 
>tcp and udp.

>Are there any other ports that I should block to prevent unwanted access 
>to these services?

This may be more of a philosophical point (but my namesake was a
philosopher, for whatever that's worth...), but I suggest you approach
this from the opposite perspective:  Block everything except the
services that you know you want to support.

I have also found it useful to have a "catch-all" high-numbered rule to
block & log everything.  Then, for things I neither want to permit
through, nor do I really want to be reminded that they exist (UDP 137 &
138, anyone?), I'll insert a slightly lower-numbered rule to silently
drop those on the floor.

david
-- 
David Wolfskill		UNIX System Administrator
dhw@whistle.com		voice: (650) 577-7158	pager: (650) 371-4621

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message