From owner-freebsd-security Mon Aug 20 10:39:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 87D0937B418 for ; Mon, 20 Aug 2001 10:39:12 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f7KHdA637701; Mon, 20 Aug 2001 10:39:10 -0700 (PDT) (envelope-from emechler) Date: Mon, 20 Aug 2001 10:39:10 -0700 From: Erick Mechler To: Martin McCormick Cc: security@FreeBSD.ORG Subject: Re: Firewall Rule Logic Message-ID: <20010820103910.B36920@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Martin McCormick on Sun, Aug 19, 2001 at 07:51:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You'll want to setup something that goes like this: ...deny spoofing attacks ...allow all from localhost ...allow all established tcp connections ...allow all outgoing tcp connections ...allow specific ports (such as ssh, smtp, etc) ...deny all tcp connections You'll want to duplicate this basic setup for your UDP/ICMP rules, etc. :: Can I put a line at the end of the rule chain that goes :: something like: :: :: ${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu all :: and then put one rule per allowed port in to open up just those :: ports that we need? I have the following rule to disallow all outside access: ${fwcmd} add deny log tcp from any to any in via ${oif} The ${oif} part can be important if your box is doing routing, or has more than one interface. --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message