From owner-freebsd-questions@FreeBSD.ORG  Sat Feb 14 08:46:10 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DFF4416A4CE
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Feb 2004 08:46:09 -0800 (PST)
Received: from radicalv.com (secure.radicalv.com [216.118.91.10])
	by mx1.FreeBSD.org (Postfix) with SMTP id 8324743D31
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Feb 2004 08:46:09 -0800 (PST)
	(envelope-from ecrist@adtechintegrated.com)
Received: (qmail 28146 invoked from network); 14 Feb 2004 16:46:03 -0000
Received: from unknown (HELO localhost.invalid) (63.228.14.245)
  by mail.radicalv.com with SMTP; 14 Feb 2004 16:46:03 -0000
From: Eric F Crist <ecrist@adtechintegrated.com>
Organization: AdTech Integrated Systems, Inc
To: <Barbish3@adelphia.net>
Date: Sat, 14 Feb 2004 10:45:52 -0600
User-Agent: KMail/1.6
References: <MIEPLLIBMLEEABPDBIEGIEBFFLAA.Barbish3@adelphia.net>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGIEBFFLAA.Barbish3@adelphia.net>
MIME-Version: 1.0
Content-Type: multipart/signed;
  protocol="application/pgp-signature";
  micalg=pgp-sha1;
  boundary="Boundary-02=_MDlLAlZ9ce68zw5";
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <200402141046.04388.ecrist@adtechintegrated.com>
cc: FreeBSD questions List <freebsd-questions@freebsd.org>
Subject: Re: Running processes...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: ecrist@adtechintegrated.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Feb 2004 16:46:10 -0000


--Boundary-02=_MDlLAlZ9ce68zw5
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Saturday 14 February 2004 10:26 am, JJB wrote:
> This port map is only showing you what ports are open to accept
> start requests from the public internet. Looks like you are using
> IPFW with stateless rules which just provides an  very basic level
> of security. Use stateful rules with 'out' and 'via' keywords to
> separate your firewall into out bound control where you allow all
> these ports listed below out to the public internet. Then for the
> inbound side use stateful rules with 'in' and 'via' keywords
> allowing in only the ports that you have servers running on. That
> will close all those listed ports to inbound availability. If you
> have LAN behind your gateway and using ipfw with divert rule legacy
> sub-routine call to userland Natd then stateful rules do not work
> because of legacy bug in basic concept design of this process.  Use
> IPFILTER, it's stateful rules work in Nated environment and as such
> provides an much highter level of security than IPFW can provide in
> an Nated environment.  I have IPFILTER sample rule set if you are
> interested.

Thanks for the reply.  This is not a nated environment.  For the time being=
,=20
I've got DSL with a /29 network.  I'm running DNS, Mail, etc right from my=
=20
own box.  I guess my question was, what are those two services I listed? =20
Submission and hp-alrm-mgr?  Are there any ipfw rules that I SHOULD set? =20
Here's my current ruleset:

00100 1622 256612 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
00600 3931 501305 allow ip from any to any
65535    0      0 deny ip from any to any

This is obviously an very wide-open server right now.  I'm guessing I shoul=
d=20
add some rules like the following?

change 0600 to allow ip from any to any established
add allow ip from any to <server ip address> port <mail>
add allow ip from any to <server ip address> port <ftp>
add allow ip from any to <server ip address> port <irc1>
add allow ip from any to <server ip address> port <irc2>
add allow ip from any to <server ip address> port <irc3>
add allow ip from any to <server ip address> port <ssh>
add allow ip from any to <server ip address> port <dns>
add allow ip from any to <server ip address> port <110>
add allow ip from any to <server ip address> port <443>
add deny ip from any to <server ip address> via dc0 port <mysql>
add deny ip from any to <server ip address>

The mysql, I assume, since the only thing accessing it should be my local w=
eb=20
server, I don't need it to have public (inet) access?

=2D-=20
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588

--Boundary-02=_MDlLAlZ9ce68zw5
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBALlDMzdyDbTMRQIYRApeiAKDDwrvTAcXgd4ujKouxU/vCUvc/OACfQVmX
tHAmaFiOWlo7UP9c4p+3V/E=
=HEGn
-----END PGP SIGNATURE-----

--Boundary-02=_MDlLAlZ9ce68zw5--