From owner-freebsd-security Mon Apr 3 6:59:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from lansolo.actv.com (smtp.actv.com [209.10.139.20]) by hub.freebsd.org (Postfix) with ESMTP id 683F437B512 for ; Mon, 3 Apr 2000 06:59:39 -0700 (PDT) (envelope-from mchugh@actv.com) Received: from actv.com (ranger.actv.com [209.10.139.10]) by lansolo.actv.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id H8FXB932; Mon, 3 Apr 2000 10:07:17 -0400 Message-ID: <38E8A393.D492BB3B@actv.com> Date: Mon, 03 Apr 2000 09:58:43 -0400 From: Michael McHugh X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Adam Woodbeck (KEYKERTUSA)" Cc: freebsd-security@freebsd.org Subject: Re: Firewall rules for an internet FTP server? References: <0039010010682121000002L112*@MHS> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Get Chapman & Zawicki's "Building Internet Firewalls" - ISBN 1565921240 It may be outdated, but it is an excellent starting point. To the best of my knowledge, many of the services you're working on are tcp, not udp based. If you're in an environment where you can experiment, I'd recommend figuring out which services are tcp, which are udp, and paring your ruleset down accordingly. Also, ftp can be run in two modes - passive and active. Passive involves pure port 21, active involves the ftp server opening a connection from port 20 to a high numbered port on the client. Also - I remember having some trouble with Internet Exploder connecting to ftp servers. You may have to tweak your rules a wee bit to accomodate Micro$oft's fine products. "Adam Woodbeck (KEYKERTUSA)" wrote: > > I'm putting an ftp server online soon and I'm wanted to get your input on what > ports you suggest I open up to the Internet. I have the firewall set up to use > the "client" configuration. I've added a few lines to open up FTP to the > Internet as well as allow other services to my local network. I've also added > what I think will allow me to update the FTP server through CVS. Does anyone > suggest I change anything on this configuration or does it look pretty complete? > Thanks for the help! > > Adam > > # set these to your network and netmask and ip > net="10.0.0.0" > mask="255.255.255.0" > ip="10.0.0.10" > > # Allow ping to or from anyone. > # ICMP flood protection compiled into the kernel. > ${fwcmd} add pass icmp from ${ip} to any > ${fwcmd} add pass icmp from any to ${ip} > > # Allow ftp access to or from anyone. > ${fwcmd} add pass tcp from ${ip} 21 to any > ${fwcmd} add pass tcp from any to ${ip} 21 > ${fwcmd} add pass udp from ${ip} 21 to any > ${fwcmd} add pass udp from any to ${ip} 21 > > # All CVS access > ${fwcmd} add pass tcp from ${ip} 2401 to any > ${fwcmn} add pass tcp from any to ${ip} 2401 > ${fwcmd} add pass udp from ${ip} 2401 to any > ${fwcmn} add pass udp from any to ${ip} 2401 > ${fwcmd} add pass tcp from ${ip} 5999 to any > ${fwcmn} add pass tcp from any to ${ip} 5999 > > # Allow ssh traffic to or from my own net. > ${fwcmd} add pass tcp from ${ip} 22 to ${net}:${mask} > ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 22 > ${fwcmd} add pass udp from ${ip} 22 to ${net}:${mask} > ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 22 > > # Allow smtp traffic to or from my own net. > ${fwcmd} add pass tcp from ${ip} 25 to ${net}:${mask} > ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 25 > ${fwcmd} add pass udp from ${ip} 25 to ${net}:${mask} > ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 25 > > # Allow domain traffic to or from my own net. > ${fwcmd} add pass tcp from ${ip} 53 to ${net}:${mask} > ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to ${net}:${mask} > ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 53 > > # Allow http traffic to or from my own net. > ${fwcmd} add pass tcp from ${ip} 80 to ${net}:${mask} > ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 80 > ${fwcmd} add pass udp from ${ip} 80 to ${net}:${mask} > ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 80 > > # Allow pop3 traffic to or from my own net. > ${fwcmd} add pass tcp from ${ip} 110 to ${net}:${mask} > ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 110 > ${fwcmd} add pass udp from ${ip} 110 to ${net}:${mask} > ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 110 > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${ip} 25 setup > > # Allow setup of outgoing TCP connections only > ${fwcmd} add pass tcp from ${ip} to any setup > > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any 53 to ${ip} > ${fwcmd} add pass udp from ${ip} to any 53 > > # Allow NTP queries out in the world > ${fwcmd} add pass udp from any 123 to ${ip} > ${fwcmd} add pass udp from ${ip} to any 123 > > # Everything else is denied by default > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Michael McHugh Systems Admin HyperTV, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message