Date: Fri, 31 Mar 2000 10:55:59 -0500 From: "Adam Woodbeck (KEYKERTUSA)" <Adam_Woodbeck@keykertusa.com> To: <freebsd-security@freebsd.org> Subject: Firewall rules for an internet FTP server? Message-ID: <0039010010682121000002L112*@MHS>
next in thread | raw e-mail | index | archive | help
I'm putting an ftp server online soon and I'm wanted to get your input on what
ports you suggest I open up to the Internet. I have the firewall set up to use
the "client" configuration. I've added a few lines to open up FTP to the
Internet as well as allow other services to my local network. I've also added
what I think will allow me to update the FTP server through CVS. Does anyone
suggest I change anything on this configuration or does it look pretty complete?
Thanks for the help!
Adam
# set these to your network and netmask and ip
net="10.0.0.0"
mask="255.255.255.0"
ip="10.0.0.10"
# Allow ping to or from anyone.
# ICMP flood protection compiled into the kernel.
${fwcmd} add pass icmp from ${ip} to any
${fwcmd} add pass icmp from any to ${ip}
# Allow ftp access to or from anyone.
${fwcmd} add pass tcp from ${ip} 21 to any
${fwcmd} add pass tcp from any to ${ip} 21
${fwcmd} add pass udp from ${ip} 21 to any
${fwcmd} add pass udp from any to ${ip} 21
# All CVS access
${fwcmd} add pass tcp from ${ip} 2401 to any
${fwcmn} add pass tcp from any to ${ip} 2401
${fwcmd} add pass udp from ${ip} 2401 to any
${fwcmn} add pass udp from any to ${ip} 2401
${fwcmd} add pass tcp from ${ip} 5999 to any
${fwcmn} add pass tcp from any to ${ip} 5999
# Allow ssh traffic to or from my own net.
${fwcmd} add pass tcp from ${ip} 22 to ${net}:${mask}
${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 22
${fwcmd} add pass udp from ${ip} 22 to ${net}:${mask}
${fwcmd} add pass udp from ${net}:${mask} to ${ip} 22
# Allow smtp traffic to or from my own net.
${fwcmd} add pass tcp from ${ip} 25 to ${net}:${mask}
${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 25
${fwcmd} add pass udp from ${ip} 25 to ${net}:${mask}
${fwcmd} add pass udp from ${net}:${mask} to ${ip} 25
# Allow domain traffic to or from my own net.
${fwcmd} add pass tcp from ${ip} 53 to ${net}:${mask}
${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 53
${fwcmd} add pass udp from ${ip} 53 to ${net}:${mask}
${fwcmd} add pass udp from ${net}:${mask} to ${ip} 53
# Allow http traffic to or from my own net.
${fwcmd} add pass tcp from ${ip} 80 to ${net}:${mask}
${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 80
${fwcmd} add pass udp from ${ip} 80 to ${net}:${mask}
${fwcmd} add pass udp from ${net}:${mask} to ${ip} 80
# Allow pop3 traffic to or from my own net.
${fwcmd} add pass tcp from ${ip} 110 to ${net}:${mask}
${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 110
${fwcmd} add pass udp from ${ip} 110 to ${net}:${mask}
${fwcmd} add pass udp from ${net}:${mask} to ${ip} 110
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${ip}
${fwcmd} add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to ${ip}
${fwcmd} add pass udp from ${ip} to any 123
# Everything else is denied by default
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0039010010682121000002L112*>