Date: Mon, 03 Apr 2000 09:58:43 -0400 From: Michael McHugh <mchugh@actv.com> To: "Adam Woodbeck (KEYKERTUSA)" <Adam_Woodbeck@keykertusa.com> Cc: freebsd-security@freebsd.org Subject: Re: Firewall rules for an internet FTP server? Message-ID: <38E8A393.D492BB3B@actv.com> References: <0039010010682121000002L112*@MHS>
next in thread | previous in thread | raw e-mail | index | archive | help
Get Chapman & Zawicki's "Building Internet Firewalls" - ISBN 1565921240
It may be outdated, but it is an excellent starting point.
To the best of my knowledge, many of the services you're
working on are tcp, not udp based. If you're in an environment
where you can experiment, I'd recommend figuring out
which services are tcp, which are udp, and paring your
ruleset down accordingly.
Also, ftp can be run in two modes - passive and active.
Passive involves pure port 21, active involves the ftp
server opening a connection from port 20 to a high numbered
port on the client.
Also - I remember having some trouble with Internet Exploder
connecting to ftp servers. You may have to tweak your
rules a wee bit to accomodate Micro$oft's fine products.
"Adam Woodbeck (KEYKERTUSA)" wrote:
>
> I'm putting an ftp server online soon and I'm wanted to get your input on what
> ports you suggest I open up to the Internet. I have the firewall set up to use
> the "client" configuration. I've added a few lines to open up FTP to the
> Internet as well as allow other services to my local network. I've also added
> what I think will allow me to update the FTP server through CVS. Does anyone
> suggest I change anything on this configuration or does it look pretty complete?
> Thanks for the help!
>
> Adam
>
> # set these to your network and netmask and ip
> net="10.0.0.0"
> mask="255.255.255.0"
> ip="10.0.0.10"
>
> # Allow ping to or from anyone.
> # ICMP flood protection compiled into the kernel.
> ${fwcmd} add pass icmp from ${ip} to any
> ${fwcmd} add pass icmp from any to ${ip}
>
> # Allow ftp access to or from anyone.
> ${fwcmd} add pass tcp from ${ip} 21 to any
> ${fwcmd} add pass tcp from any to ${ip} 21
> ${fwcmd} add pass udp from ${ip} 21 to any
> ${fwcmd} add pass udp from any to ${ip} 21
>
> # All CVS access
> ${fwcmd} add pass tcp from ${ip} 2401 to any
> ${fwcmn} add pass tcp from any to ${ip} 2401
> ${fwcmd} add pass udp from ${ip} 2401 to any
> ${fwcmn} add pass udp from any to ${ip} 2401
> ${fwcmd} add pass tcp from ${ip} 5999 to any
> ${fwcmn} add pass tcp from any to ${ip} 5999
>
> # Allow ssh traffic to or from my own net.
> ${fwcmd} add pass tcp from ${ip} 22 to ${net}:${mask}
> ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 22
> ${fwcmd} add pass udp from ${ip} 22 to ${net}:${mask}
> ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 22
>
> # Allow smtp traffic to or from my own net.
> ${fwcmd} add pass tcp from ${ip} 25 to ${net}:${mask}
> ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 25
> ${fwcmd} add pass udp from ${ip} 25 to ${net}:${mask}
> ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 25
>
> # Allow domain traffic to or from my own net.
> ${fwcmd} add pass tcp from ${ip} 53 to ${net}:${mask}
> ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 53
> ${fwcmd} add pass udp from ${ip} 53 to ${net}:${mask}
> ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 53
>
> # Allow http traffic to or from my own net.
> ${fwcmd} add pass tcp from ${ip} 80 to ${net}:${mask}
> ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 80
> ${fwcmd} add pass udp from ${ip} 80 to ${net}:${mask}
> ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 80
>
> # Allow pop3 traffic to or from my own net.
> ${fwcmd} add pass tcp from ${ip} 110 to ${net}:${mask}
> ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 110
> ${fwcmd} add pass udp from ${ip} 110 to ${net}:${mask}
> ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 110
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>
> # Allow setup of incoming email
> ${fwcmd} add pass tcp from any to ${ip} 25 setup
>
> # Allow setup of outgoing TCP connections only
> ${fwcmd} add pass tcp from ${ip} to any setup
>
> # Disallow setup of all other TCP connections
> ${fwcmd} add deny tcp from any to any setup
>
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from any 53 to ${ip}
> ${fwcmd} add pass udp from ${ip} to any 53
>
> # Allow NTP queries out in the world
> ${fwcmd} add pass udp from any 123 to ${ip}
> ${fwcmd} add pass udp from ${ip} to any 123
>
> # Everything else is denied by default
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Michael McHugh
Systems Admin
HyperTV, Inc.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38E8A393.D492BB3B>