From owner-freebsd-questions@FreeBSD.ORG  Sat Jul 24 19:09:50 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 72BA116A4CE
	for <freebsd-questions@freebsd.org>;
	Sat, 24 Jul 2004 19:09:50 +0000 (GMT)
Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D8C3B43D31
	for <freebsd-questions@freebsd.org>;
	Sat, 24 Jul 2004 19:09:49 +0000 (GMT)	(envelope-from kdk@daleco.biz)
Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft
	SMTPSVC(6.0.3790.0);	 Sat, 24 Jul 2004 14:11:34 -0500
Message-ID: <4102B3FB.2050104@daleco.biz>
Date: Sat, 24 Jul 2004 14:09:47 -0500
From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040712
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Kevin Curran <kevin@curranfamilynet.net>
References: <1087261927.5494.11.camel@tower>
In-Reply-To: <1087261927.5494.11.camel@tower>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 24 Jul 2004 19:11:34.0703 (UTC)
	FILETIME=[0947BBF0:01C471B2]
cc: freebsd-questions@freebsd.org
Subject: Re: Are 4 IPFW rules enough?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jul 2004 19:09:50 -0000

Kevin Curran wrote:

>I have a cable modem and I'm using 4.9 as a NAT router for my home
>network.  I have 4 rules in my ipfw config.  The first enables NAT and
>the last is 65000 allow any to any.
>
>In between I ha 2 rules to deny access to ports 53 and 110 on the
>Internet side.  That's all.  
>
>Here's my thinking: I use inetd.conf to enable only the services I want,
>therefore the ports on which those services are listening I would want
>open.  The two other ports I want to filter on the WAN side are filtered
>by the rules above.  All the other ports are closed, anyway, so why
>spend time debugging an elaborate rule set?
>  
>

What has to be so elaborate?

    ipfw add <rulenum> deny ip from any to me in via <oif> setup

And it's generally a good idea to think about egress as well.  It's
the strategy you're using for inetd, it should probably be the way
you do your firewall.  Build the wall with the gates where you
want them instead of the other way 'round.

My $0.02,

Kevin Kinsey