From owner-freebsd-security Thu Nov 4 7:26: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 30C7214C32 for ; Thu, 4 Nov 1999 07:26:04 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id IAA06533; Thu, 4 Nov 1999 08:25:32 -0700 (MST) From: David G Andersen Message-Id: <199911041525.IAA06533@faith.cs.utah.edu> Subject: Re: Firewall questions To: scott@computeralt.com (Scott I. Remick) Date: Thu, 4 Nov 1999 08:25:32 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> from "Scott I. Remick" at Nov 4, 99 10:11:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Scott I. Remick once said: > > 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have > printed out chapters 6.4 and 16 from the handbook. However, is there any > other guide that describes in better detail how to do what I am doing? > (read on for details) It depends what you want to accomplish with your firewall. > > 2) Is sendmail necessary on a firewall? I've removed all other > non-essential daemons already (r*, telnetd, ftpd, even inetd). The only > service running right now is ssh, which is the only way I communicate with > this system. I've never telnetted to it. See above: It depend what... > 3) What the heck would be using port 111? Strobe shows it as being alive > and listening. portmapper. See /etc/rc.conf > 4) How do I properly set up routes for a dual-homed firewall where both > sides are within the same class C? This is the first time I've ever had to > play with routing and gateways. Subnet them into /25's, or use RFC1918 addresses on the inside. > 5) Where's the proper place to put your ipfw rules so they get reloaded on > every boot? rc.local? /etc/{name} and then set your firewall name in /etc/rc.conf > 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ? Depends what you need to do with 'em. Obviously, your internal hosts need DNS service; I'd stick a DNS server inside. As for external access to your DNS server, that's your call (or an economic decision. :-) WWW and FTP are traditionally put in the DMZ, but again. > So I feel like I'm making good progress. I'm getting a good understanding > of ipfw rules. But the routes thing has got me a bit stumped. I'm not > clear on what routing is being done by routed, what routing is being done > (if any) by ipfw (because rc.firewall has places for you to put in both > sides of your firewall), and what the difference in enabling routing and > enabling gateway is. If you've only got a few networks, don't use routed, use static routes. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message