Date: Sat, 19 Aug 2000 17:33:41 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: Steve Lewis <nepolon@systray.com> Cc: questions@freebsd.org Subject: Re: To firewall or not to firewall... Message-ID: <14751.2885.67063.673424@guru.mired.org> In-Reply-To: <14321993@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Lewis writes: > > Nonetheless, I have turned off inetd and according to nmap these are the > > ports of concern: > With inetd completely off you may have a difficult time logging > *attempts*. You reduce your vulnerability, this is true, but you also > blindfold yourself. Consider removing all services served by inetd and > replacing them with folgers crystals (or with logging mechanisms) and see > if folks notice... you certainly will. Nah - you can let ipfw log the probes if you've turned off inetd. That's sufficient to detect attempts to break in. You only need more than that if you want to analyze them in some way. > > Perhaps I'm confused with where the firewall "sits." How correct is this > > schematic: > > 127.0.0.1 <---> firewall <---> NIC <---> Gateway <---> Internet > I can't really advise because your schematic doesn't make sense to me. I > don't understand where you think the boundaries are of each machine... I got it. He's talking about logical boundaries, but has left out the important part - the system proper. It's more like this: System <--> firewall <--> Interfaces <--> The rest of the world. Everything going through an interface, in any direction, goes through the firewall. That includes the loopback interface. Of course, you probably don't want to filter that one, so allowing everything through it is usually the first rule. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14751.2885.67063.673424>