Date: 01 Apr 2000 15:13:03 -0500 From: Lowell Gilbert <lowell@world.std.com> To: "Adam Woodbeck (KEYKERTUSA)" <Adam_Woodbeck@keykertusa.com>, freebsd-security@freebsd.org Subject: Re: Firewall rules for an internet FTP server? Message-ID: <rd64s9lpokw.fsf@world.std.com> In-Reply-To: "Adam Woodbeck's message of Fri, 31 Mar 2000 10:55:59 -0500 References: <0039010010682121000002L112*@MHS>
next in thread | previous in thread | raw e-mail | index | archive | help
"Adam Woodbeck (KEYKERTUSA)" <Adam_Woodbeck@keykertusa.com> writes: > I'm putting an ftp server online soon and I'm wanted to get your input on what > ports you suggest I open up to the Internet. I have the firewall set up to use > the "client" configuration. I've added a few lines to open up FTP to the > Internet as well as allow other services to my local network. I've also added > what I think will allow me to update the FTP server through CVS. Does anyone > suggest I change anything on this configuration or does it look pretty complete? > Thanks for the help! It looks pretty good from a quick eyeballing, but that's no guarantee. However, some of the rules are redundant. Although this isn't necessarily a problem, it does make everything a little slower. If you start having problems with the CPU load on the machine (or the latency in the NAT/router machine), you might want to tune it a bit for speed. Specifically, putting the rule that allows the "established" TCP connections earlier in the ruleset (and maybe even doing the same with the one that allows all outgoing TCP setups) would make this a lot more efficient. Don't worry much about efficiency unless you know it's a problem, though. Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?rd64s9lpokw.fsf>