Date: Wed, 17 Jul 2002 09:09:34 +0200 From: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl> To: <markd@cogeco.ca>, <freebsd-security@freebsd.org> Subject: RE: ipfw and it's glory... Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5353@citsnl045.europe.intranet>
index | next in thread | raw e-mail
Here are a couple of simple things I noticed. Check in-line... : allow ip from trusted-ip-addy-1 to any : allow ip from trusted-ip-addy-2 to any : allow log tcp from any to any established This rule is redundant. Rule 1 gets it. : allow log tcp from trusted-ip-addy-1 to any 22 in setup If you want to be paranoid then you could make these only applicable to the DNS servers of your ISP. : allow log udp from internal-addy to any 53 : allow log udp from any 53 to internal-addy Internal-addy. Is that a RFC1918 addresses??? Or is it a real (routable) internet address. If it is routable then I would consider using the alias "external addy" to save confusion. If it is 1918 the I assume this is a multi nic server and you probably need nat to do some address translation. : allow log tcp from any to internal-addy 80,21,110,15 setup : - : 65535 deny ip from any to any Other than what you have I'd consider logging the deny, and adding specific denies for address spoofing protection. By that I mean disallow 192.168.x.x or 127.x.x.x et al traffic comming IN from the OUTSIDE. But then again, you do not seem to be specifically allowing anything from the *inside* so it's not that important IMHO. Simpler is often better. Just consider it (spoofing) if you want to start doing this. Hope this helps.. -D ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C506EA550443D44A061432F1E92EA4C6C5353>