From owner-freebsd-security Wed Nov 29 18: 4:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 3447337B400; Wed, 29 Nov 2000 18:04:35 -0800 (PST) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Wed, 29 Nov 2000 18:04:34 -0800 Message-ID: <013b01c05a72$d1f96d10$fd01a8c0@pacbell.net> From: "John Howie" To: "Jonathan M. Slivko" , Cc: References: Subject: Re: Danger Ports Date: Wed, 29 Nov 2000 18:11:15 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1800 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jonathan, Rather than denying access to certain ports on your system, and allowing access to the rest, you might find it easier to think in the reverse - What ports do I need to leave open to outside (presumably Internet) users? The answer to that question depends on the needs of your outside users. You will probably need to allow SSH access, and I would suggest that you get users to use SCP instead of FTP (unless you have a public FTP site that allows anonymous connections). You might also need to open up access to SMTP and POP3 services for mail (while ensuring that your site can't be used as a mail relay). DNS is another service that you might need to provide access to. If users need access to so-called dangerous services such as X, printer, NFS, NIS, SNMP, etc. then I would look for a VPN solution that brings them into your network through the firewall and allows them to access these services as an internal user. O'Reilly does a good book on Firewall Security, I suggest that you get it and have a read. CERT also has a good document on packet filtering (http://www.cert.org). Also, check the FreeBSD handbook or The Complete FreeBSD for more information about setting up firewalls on FreeBSD systems. Hope this helps, john... ----- Original Message ----- From: "Jonathan M. Slivko" To: Cc: Sent: Wednesday, November 29, 2000 5:23 PM Subject: Danger Ports > Can someone tell me what are the "danger" ports on FreeBSD, ports that > perhaps need to be blocked because they are insecure? I would like to know > so in the future, I can prevent outside attacks and concentrate more on > internal attacks, or "insider jobs" as they're called. > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message