Date: Wed, 27 Feb 2002 11:52:22 +0000 From: Baldur Gislason <baldur@foo.is> To: Bart Matthaei <bart@dreamflow.nl> Cc: freebsd-security@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <02022711522201.07860@germanium> In-Reply-To: <20020227113456.L62131@heresy.dreamflow.nl> References: <3C7CB173.5F5A9837@hict.nl> <20020227113456.L62131@heresy.dreamflow.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
It's never a good idea to silently deny incoming connections on port 113 (RFC1413 ident) as remote daemons you connect to often try establishing a connection to your host on that port and you won't be served untill they've timed out on the ident connection. Also, never trust your local users too much, especially if you have a wireless network. The most practical design is a DMZ (De-Militarized Zone) for the servers, external net and partially trusted user network, if you have a wireless network it may even be a good idea to isolate that from the rest of the user network, as you must not trust the wireless users at all unless they're authenticated somehow. On the DMZ you'd allow in certain ports on each server and range 49152 through 65535 (dynamic port range) may be a good idea if you run an ftpd and want users to be able to use passive transfers (That applies to most users that are behind a firewall). Baldur On Wednesday 27 February 2002 10:34, you wrote: > On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote: > [snip] > > Correct me if im wrong. > > The easiest way of achieving this is to deny everything coming > from your internal net by default, and set up rules to allow certain > services, like ssh. > > Example: > > # allow established connections ( remote host -> source port on client ) > ipfw add pass all from any to any established > > ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh > ipfw add pass tcp from any to any 80 recv $internal_nic # allow http > ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp > > <insert some more firewall rules> > > ipfw add deny all from any to any recv $internal_nic > > You'll get a pretty long set of firewallrules, but that doesn't > matter. > > You should also decide if you want your internal net to have public or > private ipspace (and if private, using ipnat or natd: > > natd runs in userland, so thats no option for large networks (imho). > ipnat runs in la kernel, so it performs better for large nets. > > ). > > Regards, > > Bart ---------------------------------------- Content-Type: application/pgp-signature; charset="us-ascii"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: ---------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02022711522201.07860>