From owner-freebsd-questions  Sun Oct 14 16:33: 0 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.121.49])
	by hub.freebsd.org (Postfix) with ESMTP id E2D3237B40B
	for <freebsd-questions@FreeBSD.ORG>; Sun, 14 Oct 2001 16:32:56 -0700 (PDT)
Received: from blossom.cjclark.org (dialup-209.247.143.60.Dial1.SanJose1.Level3.net [209.247.143.60])
	by scaup.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id QAA08493;
	Sun, 14 Oct 2001 16:32:47 -0700 (PDT)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id f9ENWbk01114;
	Sun, 14 Oct 2001 16:32:37 -0700 (PDT)
	(envelope-from cjc)
Date: Sun, 14 Oct 2001 16:32:37 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Cliff Sarginson <cliff@raggedclown.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Firewall and nmap
Message-ID: <20011014163237.H309@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20011014210232.B1658@raggedclown.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011014210232.B1658@raggedclown.net>; from cliff@raggedclown.net on Sun, Oct 14, 2001 at 09:02:32PM +0200
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, Oct 14, 2001 at 09:02:32PM +0200, Cliff Sarginson wrote:
> Hello,
> I am slowly building up my knowledge of ipfilter in order
> to build as secure a firewall as I can, basically allowing
> everything out and only ssh and smtp in.
> I am testing it locally basically using nmap. Until
> I actually get 24/7 online it is a bit difficult to test
> it from the outside world. I would like to know that
> if a local test using nmap seems to confirm the intentions of
> my rules is that good enough ?

It depends on what you mean by "local." If it is another machine on
the LAN, that is probably just fine. If you are running nmap on the
firewall machine itself, it really is not. Processing stuff that never
crosses a "real" interface and comes off of a wire is just not the
same as running stuff over the loopback.

But then again, if you really do not have the facilities to test the
machine in any other way, it is better than nothing.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message