Date: Thu, 4 Nov 1999 08:25:32 -0700 (MST) From: David G Andersen <danderse@cs.utah.edu> To: scott@computeralt.com (Scott I. Remick) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall questions Message-ID: <199911041525.IAA06533@faith.cs.utah.edu> In-Reply-To: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> from "Scott I. Remick" at Nov 4, 99 10:11:15 am
index | next in thread | previous in thread | raw e-mail
Lo and behold, Scott I. Remick once said:
>
> 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have
> printed out chapters 6.4 and 16 from the handbook. However, is there any
> other guide that describes in better detail how to do what I am doing?
> (read on for details)
It depends what you want to accomplish with your firewall.
>
> 2) Is sendmail necessary on a firewall? I've removed all other
> non-essential daemons already (r*, telnetd, ftpd, even inetd). The only
> service running right now is ssh, which is the only way I communicate with
> this system. I've never telnetted to it.
See above: It depend what...
> 3) What the heck would be using port 111? Strobe shows it as being alive
> and listening.
portmapper. See /etc/rc.conf
> 4) How do I properly set up routes for a dual-homed firewall where both
> sides are within the same class C? This is the first time I've ever had to
> play with routing and gateways.
Subnet them into /25's, or use RFC1918 addresses on the inside.
> 5) Where's the proper place to put your ipfw rules so they get reloaded on
> every boot? rc.local?
/etc/{name} and then set your firewall name in /etc/rc.conf
> 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ?
Depends what you need to do with 'em. Obviously, your internal hosts
need DNS service; I'd stick a DNS server inside. As for external access
to your DNS server, that's your call (or an economic decision. :-)
WWW and FTP are traditionally put in the DMZ, but again.
> So I feel like I'm making good progress. I'm getting a good understanding
> of ipfw rules. But the routes thing has got me a bit stumped. I'm not
> clear on what routing is being done by routed, what routing is being done
> (if any) by ipfw (because rc.firewall has places for you to put in both
> sides of your firewall), and what the difference in enabling routing and
> enabling gateway is.
If you've only got a few networks, don't use routed, use static routes.
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911041525.IAA06533>