Date: Thu, 4 Mar 2004 17:48:28 +0100 From: "Arnoud" <a.buurman@wxs.nl> To: <freebsd-questions@freebsd.org> Cc: ste@ste-land.com Subject: Re: My ipfilter rules. Message-ID: <HLEOKNIIAJNHCMCBNBIDCELHKKAA.a.buurman@wxs.nl>
next in thread | raw e-mail | index | archive | help
Shaun, I do have some (minor) additions: - letting in webmin from an external interface on your firewall doesnot seem like a good idea to me. webmin is not that secure... normaly I only allow this to the loopbackinterface and tunnel it in SSH for security - letting out everything is not the smartest thing to do, if one of your services gets compromised you'll never notice outgoing trafic. normaly I only allow out everything I know the server needs, anything else is either blocked or logged. Well it all depends on how secure you want to make things. Basicaly the script looks prety good. Arnoud In order to be a good netizen, I applied the bogon list to my outbound traffic, too. I also moved the bad packet checks to the head of the incoming rules, as they make more sense there - no point in letting them use any more cpu than needed, if they are junk. At least 35 people have looked at my rules (http://www.ste-land.com/rules.html). I've updated the page, so be sure to hit refresh/reload, if you go to look at it again. So far, two people have responded. I took the suggestions of one. Anyone else? I'm putting the server on the Internet tonight, and would like the firewall done by then. Two questions: 1) Should I be performing the bad packet checks on the outbound path, too? 2) I looked at using groups to keep outbound packets from traversing rules for inbound packets, and vice versa, but I still don't understand them well enough to set them up. Suggestions? -ste
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HLEOKNIIAJNHCMCBNBIDCELHKKAA.a.buurman>