From owner-freebsd-questions@FreeBSD.ORG Thu Mar 4 08:43:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7326016A4CE for ; Thu, 4 Mar 2004 08:43:54 -0800 (PST) Received: from smtp.foto-album.com (ip503c114d.speed.planet.nl [80.60.17.77]) by mx1.FreeBSD.org (Postfix) with SMTP id 8F33243D39 for ; Thu, 4 Mar 2004 08:43:53 -0800 (PST) (envelope-from a.buurman@wxs.nl) Received: (qmail 49874 invoked from network); 4 Mar 2004 16:44:19 -0000 Received: from arnoud-2000.nt.klote.com (HELO arnoud2000) (192.168.0.252) by dns.nt.klote.com with SMTP; 4 Mar 2004 16:44:19 -0000 From: "Arnoud" To: Date: Thu, 4 Mar 2004 17:48:28 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: ste@ste-land.com Subject: Re: My ipfilter rules. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2004 16:43:54 -0000 Shaun, I do have some (minor) additions: - letting in webmin from an external interface on your firewall doesnot seem like a good idea to me. webmin is not that secure... normaly I only allow this to the loopbackinterface and tunnel it in SSH for security - letting out everything is not the smartest thing to do, if one of your services gets compromised you'll never notice outgoing trafic. normaly I only allow out everything I know the server needs, anything else is either blocked or logged. Well it all depends on how secure you want to make things. Basicaly the script looks prety good. Arnoud In order to be a good netizen, I applied the bogon list to my outbound traffic, too. I also moved the bad packet checks to the head of the incoming rules, as they make more sense there - no point in letting them use any more cpu than needed, if they are junk. At least 35 people have looked at my rules (http://www.ste-land.com/rules.html). I've updated the page, so be sure to hit refresh/reload, if you go to look at it again. So far, two people have responded. I took the suggestions of one. Anyone else? I'm putting the server on the Internet tonight, and would like the firewall done by then. Two questions: 1) Should I be performing the bad packet checks on the outbound path, too? 2) I looked at using groups to keep outbound packets from traversing rules for inbound packets, and vice versa, but I still don't understand them well enough to set them up. Suggestions? -ste