Date: Wed, 27 Feb 2002 11:34:56 +0100 From: Bart Matthaei <bart@dreamflow.nl> To: Geert Houben <sec@hict.nl> Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <20020227113456.L62131@heresy.dreamflow.nl> In-Reply-To: <3C7CB173.5F5A9837@hict.nl>; from sec@hict.nl on Wed, Feb 27, 2002 at 11:14:11AM %2B0100 References: <3C7CB173.5F5A9837@hict.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--IbVRjBtIbJdbeK1C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote: [snip] Correct me if im wrong. The easiest way of achieving this is to deny everything coming from your internal net by default, and set up rules to allow certain services, like ssh.=20 Example: # allow established connections ( remote host -> source port on client ) ipfw add pass all from any to any established =20 ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh ipfw add pass tcp from any to any 80 recv $internal_nic # allow http ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp <insert some more firewall rules> ipfw add deny all from any to any recv $internal_nic You'll get a pretty long set of firewallrules, but that doesn't matter. You should also decide if you want your internal net to have public or private ipspace (and if private, using ipnat or natd: natd runs in userland, so thats no option for large networks (imho). ipnat runs in la kernel, so it performs better for large nets. ). Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --IbVRjBtIbJdbeK1C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8fLZQgcc6pR+tCegRAluyAJ9GDTKQDsuibrY/g+EHYpsXQMhbSACgx4pZ YII51AaObwFKUNnOjZ2H148= =t2DO -----END PGP SIGNATURE----- --IbVRjBtIbJdbeK1C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020227113456.L62131>