Date: Fri, 31 Mar 2000 10:55:59 -0500 From: "Adam Woodbeck (KEYKERTUSA)" <Adam_Woodbeck@keykertusa.com> To: <freebsd-security@freebsd.org> Subject: Firewall rules for an internet FTP server? Message-ID: <0039010010682121000002L112*@MHS>
next in thread | raw e-mail | index | archive | help
I'm putting an ftp server online soon and I'm wanted to get your input = on what ports you suggest I open up to the Internet. I have the firewall set u= p to use the "client" configuration. I've added a few lines to open up FTP to t= he Internet as well as allow other services to my local network. I've als= o added what I think will allow me to update the FTP server through CVS. Does = anyone suggest I change anything on this configuration or does it look pretty = complete? Thanks for the help! Adam # set these to your network and netmask and ip net=3D"10.0.0.0" mask=3D"255.255.255.0" ip=3D"10.0.0.10" # Allow ping to or from anyone. # ICMP flood protection compiled into the kernel. ${fwcmd} add pass icmp from ${ip} to any ${fwcmd} add pass icmp from any to ${ip} # Allow ftp access to or from anyone. ${fwcmd} add pass tcp from ${ip} 21 to any ${fwcmd} add pass tcp from any to ${ip} 21 ${fwcmd} add pass udp from ${ip} 21 to any ${fwcmd} add pass udp from any to ${ip} 21 # All CVS access ${fwcmd} add pass tcp from ${ip} 2401 to any ${fwcmn} add pass tcp from any to ${ip} 2401 ${fwcmd} add pass udp from ${ip} 2401 to any ${fwcmn} add pass udp from any to ${ip} 2401 ${fwcmd} add pass tcp from ${ip} 5999 to any ${fwcmn} add pass tcp from any to ${ip} 5999 # Allow ssh traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 22 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 22 ${fwcmd} add pass udp from ${ip} 22 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 22 # Allow smtp traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 25 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 25 ${fwcmd} add pass udp from ${ip} 25 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 25 # Allow domain traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 53 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 53 # Allow http traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 80 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 80 ${fwcmd} add pass udp from ${ip} 80 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 80 # Allow pop3 traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 110 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 110 ${fwcmd} add pass udp from ${ip} 110 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 110 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${ip} ${fwcmd} add pass udp from ${ip} to any 123 # Everything else is denied by default = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0039010010682121000002L112*>