From owner-freebsd-questions@FreeBSD.ORG Sun Feb 13 14:46:11 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F177716A4CE for ; Sun, 13 Feb 2005 14:46:11 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B1B843D31 for ; Sun, 13 Feb 2005 14:46:11 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32]) by top.daemonsecurity.com (Postfix) with ESMTP id 7C744FD01F; Sun, 13 Feb 2005 15:46:10 +0100 (CET) Message-ID: <420F6831.8030203@locolomo.org> Date: Sun, 13 Feb 2005 15:46:09 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050127 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: dick hoogendijk References: <20050213143319.0fe50e3f.dick@nagual.st> In-Reply-To: <20050213143319.0fe50e3f.dick@nagual.st> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: ipfilter outgoing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2005 14:46:12 -0000 dick hoogendijk wrote: > It's difficult to program all outgoing filter rules in ipf. Every now > and then I bumb into a blocked connection that I did want to work in the > first place. Only because an outgoing port was/is blocked. > > What is the most secure way to do things? Block all outgoing and open up > what I wnat or can I use i.e. the next rule in a safe way: > > ### pass out quick proto tcp/udp from any to any keep state keep frags > > Any help or suggestions are appreciated. Yes I did read all the ipf help > files but it dazzles me. What are you protecting against? If you are the only user, and you trust your self, and you can assume that your system has not been compromised, then all outgoing connections are legitimate. Usually you filter incoming connections. Filtering outgoing has the effect of limiting the spread of a posible compromise or abuse by non-privileged users. If you want to restrict outgoing, then allow anything below port 1024 - if this is too much then read /etc/services. Above 1024 are all the non-standard services, kazaa, skype, X, mysql and other stuff. Beware, that cvsup connects to port 5999, and passive ftp-data connects to some port > 1024 depending on server config (however I think default is/should be > 49151). Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2