Date: Mon, 20 Aug 2001 10:39:10 -0700 From: Erick Mechler <emechler@techometer.net> To: Martin McCormick <martin@dc.cis.okstate.edu> Cc: security@FreeBSD.ORG Subject: Re: Firewall Rule Logic Message-ID: <20010820103910.B36920@techometer.net> In-Reply-To: <E15YdI2-0002Qo-00@dc.cis.okstate.edu>; from Martin McCormick on Sun, Aug 19, 2001 at 07:51:38PM -0500 References: <E15YdI2-0002Qo-00@dc.cis.okstate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
You'll want to setup something that goes like this:
...deny spoofing attacks
...allow all from localhost
...allow all established tcp connections
...allow all outgoing tcp connections
...allow specific ports (such as ssh, smtp, etc)
...deny all tcp connections
You'll want to duplicate this basic setup for your UDP/ICMP rules, etc.
:: Can I put a line at the end of the rule chain that goes
:: something like:
::
:: ${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu all
:: and then put one rule per allowed port in to open up just those
:: ports that we need?
I have the following rule to disallow all outside access:
${fwcmd} add deny log tcp from any to any in via ${oif}
The ${oif} part can be important if your box is doing routing, or has more
than one interface.
--Erick
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010820103910.B36920>