Date: Wed, 9 Sep 1998 13:01:16 -0700 (PDT) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: gmarco@giovannelli.it Cc: hackers@FreeBSD.ORG Subject: Re: Firewall rules ... Message-ID: <Pine.BSF.4.01.9809091248540.8895-100000@harlie.bfd.com> In-Reply-To: <98090921175004.00755@gmarco.eclipse.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Sep 1998, Gianmarco Giovannelli wrote: > > I have to set up a firewall for an isp, I'd like to leave the possibility to > use icq, realaudio, quake2 and others ... > > Is someone using some rules that doesn't prevent such applications to work ? > > Any examples is welcome :-) Exactly what is the isp trying to achieve with the firewall? Without more specifics, I'd tend to go with a minimally intrusive firewall, based on the following ideas: 1) all outgoing packets from our netblock are allowed (not all packets, just those with our address, to prevent anon packet spoofing. 2) all incoming packets to ports 1-1023 are blocked unless it's a known service that you trust and wish to allow. 3) all incoming packets to ports 1024 an up are allowed unless it's a known problem port (1080, 6000, etc). 4a) blocking outgoing connections to port 25, except your own mail servers, is a very debated point, the idea being to prevent your users from using direct-injection and relay-rape spamware. The idea is that most services default to ports less than 1024 (ie, http=80, telnet=23, smtp=25, etc). These you should block unless you've decided otherwise. (the range, not the specific examples, blocking port 25 will make you unpopular if you block it to your own mail servers). User-invoked programs (web browsers, ICQ,etc) and daemons usually grab ports above 1023 (or is it 1024, have to check my firewall rules), but pose less of a security risk. The user-invoked programs are usually not listening for connections, but making connections on those ports (FTP being an exception), and user run daemons would only be exploitable as that user, not as root, though that could be combined with a local-exploit to gain root. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9809091248540.8895-100000>