From owner-freebsd-questions@FreeBSD.ORG Sat Feb 14 09:52:52 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F48F16A4CE for ; Sat, 14 Feb 2004 09:52:52 -0800 (PST) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3262043D1D for ; Sat, 14 Feb 2004 09:52:52 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Sat, 14 Feb 2004 11:53:01 -0600 Message-ID: <402E6027.6010500@daleco.biz> Date: Sat, 14 Feb 2004 11:51:35 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ecrist@adtechintegrated.com References: <200402141046.04388.ecrist@adtechintegrated.com> In-Reply-To: <200402141046.04388.ecrist@adtechintegrated.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 14 Feb 2004 17:53:01.0750 (UTC) FILETIME=[63A26D60:01C3F323] cc: Barbish3@adelphia.net cc: FreeBSD questions List Subject: Re: Running processes... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 17:52:52 -0000 Eric F Crist wrote: >On Saturday 14 February 2004 10:26 am, JJB wrote: > > >>This port map is only showing you what ports are open to accept >>start requests from the public internet. Looks like you are using >>IPFW with stateless rules which just provides an very basic level >>of security. Use stateful rules with 'out' and 'via' keywords to >>separate your firewall into out bound control where you allow all >>these ports listed below out to the public internet. Then for the >>inbound side use stateful rules with 'in' and 'via' keywords >>allowing in only the ports that you have servers running on. That >>will close all those listed ports to inbound availability. If you >>have LAN behind your gateway and using ipfw with divert rule legacy >>sub-routine call to userland Natd then stateful rules do not work >>because of legacy bug in basic concept design of this process. Use >>IPFILTER, it's stateful rules work in Nated environment and as such >>provides an much highter level of security than IPFW can provide in >>an Nated environment. I have IPFILTER sample rule set if you are >>interested. >> >> > >Thanks for the reply. This is not a nated environment. For the time being, >I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my >own box. I guess my question was, what are those two services I listed? >Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set? >Here's my current ruleset: > >00100 1622 256612 allow ip from any to any via lo0 >00200 0 0 deny ip from any to 127.0.0.0/8 >00300 0 0 deny ip from 127.0.0.0/8 to any >00600 3931 501305 allow ip from any to any >65535 0 0 deny ip from any to any > >This is obviously an very wide-open server right now. I'm guessing I should >add some rules like the following? > >change 0600 to allow ip from any to any established >add allow ip from any to port >add allow ip from any to port >add allow ip from any to port >add allow ip from any to port >add allow ip from any to port >add allow ip from any to port >add allow ip from any to port >add allow ip from any to port <110> >add allow ip from any to port <443> >add deny ip from any to via dc0 port >add deny ip from any to > >The mysql, I assume, since the only thing accessing it should be my local web >server, I don't need it to have public (inet) access? > > > Sample FTP/SMTP/DNS/HTTP entry: add allow tcp from any to {$me} in via ${oif} 22 setup add allow tcp from any to {$me} in via ${oif} 25 setup add allow tcp from any to {$me} in via ${oif} 53 setup add allow tcp from any to {$me} in via ${oif} 80 setup These must be paired with, later in list: add allow tcp from any to {$me} established HTH, Kevin Kinsey