From owner-freebsd-security Wed Feb 27 3:52:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by hub.freebsd.org (Postfix) with ESMTP id 031AD37B400; Wed, 27 Feb 2002 03:52:37 -0800 (PST) Received: from germanium (germanium.reverse-bias.org [192.168.1.1]) by tesla.foo.is (Postfix) with SMTP id 5C8BB2739; Wed, 27 Feb 2002 11:52:30 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Baldur Gislason To: Bart Matthaei Subject: Re: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 11:52:22 +0000 X-Mailer: KMail [version 1.2] References: <3C7CB173.5F5A9837@hict.nl> <20020227113456.L62131@heresy.dreamflow.nl> In-Reply-To: <20020227113456.L62131@heresy.dreamflow.nl> Cc: freebsd-security@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-Id: <02022711522201.07860@germanium> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's never a good idea to silently deny incoming connections on port 113 (RFC1413 ident) as remote daemons you connect to often try establishing a connection to your host on that port and you won't be served untill they've timed out on the ident connection. Also, never trust your local users too much, especially if you have a wireless network. The most practical design is a DMZ (De-Militarized Zone) for the servers, external net and partially trusted user network, if you have a wireless network it may even be a good idea to isolate that from the rest of the user network, as you must not trust the wireless users at all unless they're authenticated somehow. On the DMZ you'd allow in certain ports on each server and range 49152 through 65535 (dynamic port range) may be a good idea if you run an ftpd and want users to be able to use passive transfers (That applies to most users that are behind a firewall). Baldur On Wednesday 27 February 2002 10:34, you wrote: > On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote: > [snip] > > Correct me if im wrong. > > The easiest way of achieving this is to deny everything coming > from your internal net by default, and set up rules to allow certain > services, like ssh. > > Example: > > # allow established connections ( remote host -> source port on client ) > ipfw add pass all from any to any established > > ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh > ipfw add pass tcp from any to any 80 recv $internal_nic # allow http > ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp > > > > ipfw add deny all from any to any recv $internal_nic > > You'll get a pretty long set of firewallrules, but that doesn't > matter. > > You should also decide if you want your internal net to have public or > private ipspace (and if private, using ipnat or natd: > > natd runs in userland, so thats no option for large networks (imho). > ipnat runs in la kernel, so it performs better for large nets. > > ). > > Regards, > > Bart ---------------------------------------- Content-Type: application/pgp-signature; charset="us-ascii"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: ---------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message