From owner-freebsd-questions Fri Aug 18 21:16:39 2000 Delivered-To: freebsd-questions@freebsd.org Received: from blount.mail.mindspring.net (blount.mail.mindspring.net [207.69.200.226]) by hub.freebsd.org (Postfix) with ESMTP id 8C13C37B42C for ; Fri, 18 Aug 2000 21:16:32 -0700 (PDT) Received: from localhost.localdomain (user-33qt88i.dialup.mindspring.com [199.174.161.18]) by blount.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id AAA31882 for ; Sat, 19 Aug 2000 00:16:30 -0400 (EDT) Received: (from david@localhost) by localhost.localdomain (8.9.3/8.9.3) id UAA08344 for freebsd-questions@freebsd.org; Fri, 18 Aug 2000 20:59:52 -0500 (CDT) (envelope-from david) Date: Fri, 18 Aug 2000 20:59:52 -0500 From: "David J. Kanter" To: FreeBSD questions Subject: To firewall or not to firewall... Message-ID: <20000818205952.A8313@localhost.localdomain> Mail-Followup-To: FreeBSD questions Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i X-Operating-System: FreeBSD 4.1-STABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG ...that is the question. I have a single computer, with no internal network, that will shortly have a DSL connection that uses PPPoE and dynamic IP address assignment. I am a little confused with two things: one, do I need a firewall, and two, how to construct one with a dynamically assigned IP address. I've read that a firewall isn't really needed for one machine. Some say that ppp filters are better here. Nonetheless, I have turned off inetd and according to nmap these are the ports of concern: Port State Service 25/tcp open smtp 53/tcp open domain 111/tcp open sunrpc 515/tcp open printer 6000/tcp open X11 7101/tcp open unknown One question that arises is when to block "in" and/or "out" connections. It's a matter of not knowing where the "in" is coming from and where the "out" is coming from and going to. For instance, I should let "in" connections to port 25, right, but refuse "in" connections to port 6000? If I refuse "out" connections to port 6000 will I then block use of X on my machine? Perhaps I'm confused with where the firewall "sits." How correct is this schematic: 127.0.0.1 <---> firewall <---> NIC <---> Gateway <---> Internet Any help would be appreciated. -- David Kanter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message