From owner-freebsd-questions  Wed Jul  4  0:57:28 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from relay1.ntu-kpi.kiev.ua (www.ntu-kpi.kiev.ua [212.111.192.161])
	by hub.freebsd.org (Postfix) with ESMTP id D6CFE37B406
	for <freebsd-questions@freebsd.org>; Wed,  4 Jul 2001 00:57:20 -0700 (PDT)
	(envelope-from simon@comsys.ntu-kpi.kiev.ua)
Received: from comsys.ntu-kpi.kiev.ua (eth0.comsys.ntu-kpi.kiev.ua [10.0.1.184])
	by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP
	id 96CE22EEFB; Wed,  4 Jul 2001 10:57:12 +0300 (EEST)
Received: from pm5149 (pm514-9.comsys.ntu-kpi.kiev.ua [10.18.54.109])
	by comsys.ntu-kpi.kiev.ua (8.11.3/8.11.3) with SMTP id f647uBJ00326;
	Wed, 4 Jul 2001 10:56:12 +0300 (EEST)
Message-ID: <002c01c10455$fd4d08e0$6d36120a@comsys.ntukpi.kiev.ua>
From: "Andrey Simonenko" <simon@comsys.ntu-kpi.kiev.ua>
To: "Peter Salvage" <wizard@sybaweb.co.za>
Cc: <freebsd-questions@freebsd.org>
References: <050801c102d9$64d62880$0200a8c0@ait.co.za> <006001c102e2$972da520$6d36120a@comsys.ntukpi.kiev.ua> <001301c102fb$bb49b020$0200a8c0@ait.co.za>
Subject: Re: IPFW Rules
Date: Wed, 4 Jul 2001 10:53:09 +0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2014.211
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


----- Original Message -----
From: Peter Salvage <wizard@sybaweb.co.za>
To: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
Cc: <freebsd-questions@freebsd.org>
Sent: Monday, July 02, 2001 5:32 PM
Subject: Re: IPFW Rules


> > Try /etc/rc.firewall, this file has comments.
> > Probably it whould be better to tell us what exactly you want to protect
> > with IP Firewall.
>
> Hi Andrey
>
> Thanks for the info! I'm already reading the resources that Ling Ling was
kind
> enough to provide to me, but briefly...
>
> I'm wanting to:
> allow port 80 on my www box
> allow ports 25, 110, 113 on my mailserver
> allow tcp/udp ports 53 on my nameservers
> allow ssh traffic (port 22?)
> allow nntp (port 123)
> allow webmail on one host (port 8181)
> allow RADIUS queries on our RADIUS box
>

Everything you said can be easy implemented with any type of
Firewall (IP Firewall or IP Filter). But are you sure that you have to
deny all other connections? May be it is better to close IP/ports for
some services on your server: for example you can remove not
needed services in /etc/inetd.conf, add "-ss" flag to syslogd, tell
Squid/Apache/something to listen on LAN NIC or on WAN NIC.

> Deny spoofing of my address range(s)
> ...and er...I guess deny everything else :)

Some information abot this can be found on ipfw(8) and ipf(5)
manual pages, also you can dig news archives with www.deja.com.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message