From owner-freebsd-questions Sat Aug 19 15:34:21 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom2-116.telepath.com [216.14.2.116]) by hub.freebsd.org (Postfix) with SMTP id D5C5837B43E for ; Sat, 19 Aug 2000 15:34:16 -0700 (PDT) Received: (qmail 8458 invoked by uid 100); 19 Aug 2000 22:33:41 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14751.2885.67063.673424@guru.mired.org> Date: Sat, 19 Aug 2000 17:33:41 -0500 (CDT) To: Steve Lewis Cc: questions@freebsd.org Subject: Re: To firewall or not to firewall... In-Reply-To: <14321993@toto.iv> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Steve Lewis writes: > > Nonetheless, I have turned off inetd and according to nmap these are the > > ports of concern: > With inetd completely off you may have a difficult time logging > *attempts*. You reduce your vulnerability, this is true, but you also > blindfold yourself. Consider removing all services served by inetd and > replacing them with folgers crystals (or with logging mechanisms) and see > if folks notice... you certainly will. Nah - you can let ipfw log the probes if you've turned off inetd. That's sufficient to detect attempts to break in. You only need more than that if you want to analyze them in some way. > > Perhaps I'm confused with where the firewall "sits." How correct is this > > schematic: > > 127.0.0.1 <---> firewall <---> NIC <---> Gateway <---> Internet > I can't really advise because your schematic doesn't make sense to me. I > don't understand where you think the boundaries are of each machine... I got it. He's talking about logical boundaries, but has left out the important part - the system proper. It's more like this: System <--> firewall <--> Interfaces <--> The rest of the world. Everything going through an interface, in any direction, goes through the firewall. That includes the loopback interface. Of course, you probably don't want to filter that one, so allowing everything through it is usually the first rule.