From owner-freebsd-security  Sat Apr  1 12:13:12 2000
Delivered-To: freebsd-security@freebsd.org
Received: from europe.std.com (europe.std.com [199.172.62.20])
	by hub.freebsd.org (Postfix) with ESMTP id A525A37B664
	for <freebsd-security@freebsd.org>; Sat,  1 Apr 2000 12:13:09 -0800 (PST)
	(envelope-from lowell@world.std.com)
Received: from world.std.com (lowell@world-f.std.com [199.172.62.5])
	by europe.std.com (8.9.3/8.9.3) with ESMTP id PAA06541;
	Sat, 1 Apr 2000 15:13:07 -0500 (EST)
Received: (from lowell@localhost)
	by world.std.com (8.9.3/8.9.3) id PAA02447;
	Sat, 1 Apr 2000 15:13:03 -0500 (EST)
To: "Adam Woodbeck (KEYKERTUSA)" <Adam_Woodbeck@keykertusa.com>,
	freebsd-security@freebsd.org
Reply-To: freebsd-security@freebsd.org
Subject: Re: Firewall rules for an internet FTP server?
References: <0039010010682121000002L112*@MHS>
From: Lowell Gilbert <lowell@world.std.com>
Date: 01 Apr 2000 15:13:03 -0500
In-Reply-To: "Adam Woodbeck's message of Fri, 31 Mar 2000 10:55:59 -0500
Message-ID: <rd64s9lpokw.fsf@world.std.com>
Lines: 23
X-Mailer: Gnus v5.5/Emacs 20.2
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Adam Woodbeck (KEYKERTUSA)" <Adam_Woodbeck@keykertusa.com> writes:

> I'm putting an ftp server online soon and I'm wanted to get your input on what
> ports you suggest I open up to the Internet.  I have the firewall set up to use
> the "client" configuration.  I've added a few lines to open up FTP to the
> Internet as well as allow other services to my local network.  I've also added
> what I think will allow me to update the FTP server through CVS.  Does anyone
> suggest I change anything on this configuration or does it look pretty complete?
>  Thanks for the help!

It looks pretty good from a quick eyeballing, but that's no guarantee.

However, some of the rules are redundant.  Although this isn't
necessarily a problem, it does make everything a little slower.  If
you start having problems with the CPU load on the machine (or the
latency in the NAT/router machine), you might want to tune it a bit
for speed.  Specifically, putting the rule that allows the
"established" TCP connections earlier in the ruleset (and maybe even
doing the same with the one that allows all outgoing TCP setups) would
make this a lot more efficient.  Don't worry much about efficiency
unless you know it's a problem, though.

Be well.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message