From owner-freebsd-security Mon Jul 1 17:45:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 143CF37B400 for ; Mon, 1 Jul 2002 17:45:41 -0700 (PDT) Received: from mail2.home.nl (mail2.home.nl [213.51.129.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F8BB43E0A for ; Mon, 1 Jul 2002 17:45:40 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from winxp ([217.120.146.224]) by mail2.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020702004740.BZCM27206.mail2.home.nl@winxp>; Tue, 2 Jul 2002 02:47:40 +0200 Message-ID: <007301c22161$c9c76ef0$0200a8c0@winxp> From: "nascar24" To: "Gerhard Sittig" , References: <01a001c22107$3d3b2850$0200a8c0@winxp> <20020701214825.L1494@shell.gsinet.sittig.org> Subject: Re: Making a firewall more closed Date: Tue, 2 Jul 2002 02:45:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "nascar24" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What I mean is that I want to grand acces to the internet. But only to ports I 'trust', like 80,21,22 etc. But when I make a rule like: add 550 allow ip from me to any 80,21,22 I cannot acces a website, that puzzles me. > On Mon, Jul 01, 2002 at 15:57 +0200, nascar24 wrote: > > > > I've been using the IPFW for some time now but I have one problem. I have > > closed my firewall (I guess) from attacks from the outside world. But I am > > open to attacks from within, i.e: trojan horses etc. > > > > Here is my rc.firewall.rules file. I think it is in rule 500 & 550. But if I > > change them to 21,22,80,8080 I cannot connect to any websites or FTP sites. > > > > [ filter rule set snipped ] > > > > I hope you can help, thanks in advance. > > What exactly is your question? > > If you want to "less trust the inside", close the inner interface > as much as you did with the outside. > > If you are looking for hints on how to generally improve your > filter rules I strongly suggest you have a look at the ipfilter > HowTo -- even if you don't use ipf: this document talks about > the basics, too, plus derives / designes a rule set from bottom > up. Visit www.ipfilter.org or look at the misc/26763 PR (Cyrille > Lefevre, "installing ipfilter sample files to share/examples"). > > > virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 > Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net > -- > If you don't understand or are scared by any of the above > ask your parents or an adult to help you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message