From owner-freebsd-security Fri Mar 31 7:58:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from usgate02.e-mail.com (usgate02.e-mail.com [204.146.55.142]) by hub.freebsd.org (Postfix) with ESMTP id 85C1337BAEA for ; Fri, 31 Mar 2000 07:58:00 -0800 (PST) (envelope-from Adam_Woodbeck@keykertusa.com) Received: Received: by usgate.e-mail.com with SMTP id PAA101088 for ; Fri, 31 Mar 2000 15:55:59 GMT Received: by SCH.ADVANTIS.COM (Soft-Switch LMS 3.2) with snapi via USCCRG01 id 0039010010682121; Fri, 31 Mar 2000 10:55:59 -0500 From: "Adam Woodbeck (KEYKERTUSA)" To: Subject: Firewall rules for an internet FTP server? Message-ID: <0039010010682121000002L112*@MHS> Date: Fri, 31 Mar 2000 10:55:59 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm putting an ftp server online soon and I'm wanted to get your input = on what ports you suggest I open up to the Internet. I have the firewall set u= p to use the "client" configuration. I've added a few lines to open up FTP to t= he Internet as well as allow other services to my local network. I've als= o added what I think will allow me to update the FTP server through CVS. Does = anyone suggest I change anything on this configuration or does it look pretty = complete? Thanks for the help! Adam # set these to your network and netmask and ip net=3D"10.0.0.0" mask=3D"255.255.255.0" ip=3D"10.0.0.10" # Allow ping to or from anyone. # ICMP flood protection compiled into the kernel. ${fwcmd} add pass icmp from ${ip} to any ${fwcmd} add pass icmp from any to ${ip} # Allow ftp access to or from anyone. ${fwcmd} add pass tcp from ${ip} 21 to any ${fwcmd} add pass tcp from any to ${ip} 21 ${fwcmd} add pass udp from ${ip} 21 to any ${fwcmd} add pass udp from any to ${ip} 21 # All CVS access ${fwcmd} add pass tcp from ${ip} 2401 to any ${fwcmn} add pass tcp from any to ${ip} 2401 ${fwcmd} add pass udp from ${ip} 2401 to any ${fwcmn} add pass udp from any to ${ip} 2401 ${fwcmd} add pass tcp from ${ip} 5999 to any ${fwcmn} add pass tcp from any to ${ip} 5999 # Allow ssh traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 22 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 22 ${fwcmd} add pass udp from ${ip} 22 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 22 # Allow smtp traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 25 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 25 ${fwcmd} add pass udp from ${ip} 25 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 25 # Allow domain traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 53 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 53 # Allow http traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 80 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 80 ${fwcmd} add pass udp from ${ip} 80 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 80 # Allow pop3 traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 110 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 110 ${fwcmd} add pass udp from ${ip} 110 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 110 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${ip} ${fwcmd} add pass udp from ${ip} to any 123 # Everything else is denied by default = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message