Date: Sat, 14 Feb 2004 11:51:35 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> To: ecrist@adtechintegrated.com Cc: FreeBSD questions List <freebsd-questions@freebsd.org> Subject: Re: Running processes... Message-ID: <402E6027.6010500@daleco.biz> In-Reply-To: <200402141046.04388.ecrist@adtechintegrated.com> References: <MIEPLLIBMLEEABPDBIEGIEBFFLAA.Barbish3@adelphia.net> <200402141046.04388.ecrist@adtechintegrated.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric F Crist wrote:
>On Saturday 14 February 2004 10:26 am, JJB wrote:
>
>
>>This port map is only showing you what ports are open to accept
>>start requests from the public internet. Looks like you are using
>>IPFW with stateless rules which just provides an very basic level
>>of security. Use stateful rules with 'out' and 'via' keywords to
>>separate your firewall into out bound control where you allow all
>>these ports listed below out to the public internet. Then for the
>>inbound side use stateful rules with 'in' and 'via' keywords
>>allowing in only the ports that you have servers running on. That
>>will close all those listed ports to inbound availability. If you
>>have LAN behind your gateway and using ipfw with divert rule legacy
>>sub-routine call to userland Natd then stateful rules do not work
>>because of legacy bug in basic concept design of this process. Use
>>IPFILTER, it's stateful rules work in Nated environment and as such
>>provides an much highter level of security than IPFW can provide in
>>an Nated environment. I have IPFILTER sample rule set if you are
>>interested.
>>
>>
>
>Thanks for the reply. This is not a nated environment. For the time being,
>I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my
>own box. I guess my question was, what are those two services I listed?
>Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set?
>Here's my current ruleset:
>
>00100 1622 256612 allow ip from any to any via lo0
>00200 0 0 deny ip from any to 127.0.0.0/8
>00300 0 0 deny ip from 127.0.0.0/8 to any
>00600 3931 501305 allow ip from any to any
>65535 0 0 deny ip from any to any
>
>This is obviously an very wide-open server right now. I'm guessing I should
>add some rules like the following?
>
>change 0600 to allow ip from any to any established
>add allow ip from any to <server ip address> port <mail>
>add allow ip from any to <server ip address> port <ftp>
>add allow ip from any to <server ip address> port <irc1>
>add allow ip from any to <server ip address> port <irc2>
>add allow ip from any to <server ip address> port <irc3>
>add allow ip from any to <server ip address> port <ssh>
>add allow ip from any to <server ip address> port <dns>
>add allow ip from any to <server ip address> port <110>
>add allow ip from any to <server ip address> port <443>
>add deny ip from any to <server ip address> via dc0 port <mysql>
>add deny ip from any to <server ip address>
>
>The mysql, I assume, since the only thing accessing it should be my local web
>server, I don't need it to have public (inet) access?
>
>
>
Sample FTP/SMTP/DNS/HTTP entry:
add allow tcp from any to {$me} in via ${oif} 22 setup
add allow tcp from any to {$me} in via ${oif} 25 setup
add allow tcp from any to {$me} in via ${oif} 53 setup
add allow tcp from any to {$me} in via ${oif} 80 setup
These must be paired with, later in list:
add allow tcp from any to {$me} established
HTH,
Kevin Kinsey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?402E6027.6010500>