From owner-freebsd-security Mon Jul 1 6:57:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E1D137B400 for ; Mon, 1 Jul 2002 06:57:34 -0700 (PDT) Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8C0343E13 for ; Mon, 1 Jul 2002 06:57:32 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from winxp ([217.120.146.224]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020701135729.TRRI342.mail1.home.nl@winxp> for ; Mon, 1 Jul 2002 15:57:29 +0200 Message-ID: <01a001c22107$3d3b2850$0200a8c0@winxp> From: "nascar24" To: Subject: Making a firewall more closed Date: Mon, 1 Jul 2002 15:57:23 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all, I've been using the IPFW for some time now but I have one problem. I have closed my firewall (I guess) from attacks from the outside world. But I am open to attacks from within, i.e: trojan horses etc. Here is my rc.firewall.rules file. I think it is in rule 500 & 550. But if I change them to 21,22,80,8080 I cannot connect to any websites or FTP sites. # allow loopback traffic add 100 allow ip from any to any via lo0 # protect loopback address add 200 deny log ip from 127.0.0.1 to any add 249 deny log ip from any to 127.0.0.1 # block spoofs add 400 deny log ip from me to any in via ed0 # enable NATD add 425 divert 8668 ip from any to any via ed0 # check dynamic rules add 450 check-state # make dynamic entries for all outgoing traffic add 500 allow log tcp from me to any 1-65535 keep-state out add 550 allow log udp from me to any 1-65535 keep-state out # services we offer to the world add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in # pass ICMP add 700 allow log icmp from me to any out add 750 allow log icmp from any to me in # pass everything on private LAN add 800 allow log all from 192.168.0.0/16 to any add 850 allow log all from any to 192.168.0.0/16 # log rejects that have fallen through add 65000 deny log ip from any to any I hope you can help, thanks in advance. Marcel. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message