From owner-freebsd-questions  Sat Sep 22  7:31:46 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by hub.freebsd.org (Postfix) with ESMTP id 12D0637B40D
	for <freebsd-questions@FreeBSD.ORG>; Sat, 22 Sep 2001 07:31:38 -0700 (PDT)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f8ME8wA30322;
	Sat, 22 Sep 2001 11:09:01 -0300 (ART)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Date: Sat, 22 Sep 2001 11:08:58 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: Chip <chip@wiegand.org>
Cc: <freebsd-questions@FreeBSD.ORG>
Subject: Re: security and firewall
In-Reply-To: <01092117533704.84922@chip.wiegand.org>
Message-ID: <20010922105325.B30038-100000@cactus.fi.uba.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, 21 Sep 2001, Chip wrote:

> I have a fbsd 4.0 box running nothing but natd/ipfw, and it appears to be
> fairly secure - I ran nmap against it from another fbsd box outside my
> network and it shows only the sunrpc port 111 open. I have added to my ipfw
> rules a rule that explicity denies port 111. I have also disabled inetd and
> yet get the following udp ports showing as open -  111, 514, 520.

The UDP scannings may give you a lot of false positives, because it relies in
you *not* returning an answer if the port is open. If you drop the packet on
the floor instead of returning an icmp port unreach, nmap asumes the port is
open. To be sure, run sockstat in the firewall.

Port 111 is portmapper. Shut it down, and add "portmap_enable=NO" to your
rc.conf.

Port 514 is syslog, restart it with -ss, so it won't open any network sockets.

port 520 is the routed. If you don't need any dynamic routing protocols,
shut it down. If you are asking if you need it or don't, shut it down =0).

>
> Now my question - Just what can I do to tighten my security? To make sure my
> machine isn't used as a relay, or just general protection? Is there some web
> pages that cover this basic security stuff someone can point me to?

For firewall configuration, I recommend "Building Internet Firewalls, 2d Ed",
by Chapman et al, O'Reilly.

For anty relay measures, the default sendmail.cf shipped with FreeBSD denies
relaying by default. You can go to www.sendmail.org and read the configuration
pages about relaying.

Hope this helps.


				Fer


>
> --
> Chip W.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message