From owner-freebsd-questions Sun Oct 14 18: 8:28 2001 Delivered-To: freebsd-questions@freebsd.org Received: from post.mail.nl.demon.net (post-11.mail.nl.demon.net [194.159.73.21]) by hub.freebsd.org (Postfix) with ESMTP id 0E42737B407 for ; Sun, 14 Oct 2001 18:08:25 -0700 (PDT) Received: from [212.238.77.116] (helo=buffy.raggedclown.net) by post.mail.nl.demon.net with esmtp (Exim 3.22 #1) id 15swEx-0004FF-00 for freebsd-questions@FreeBSD.ORG; Mon, 15 Oct 2001 01:08:23 +0000 Received: by tanya.raggedclown.net (Ragged Clown Mailhost, from userid 500) id DFE68111C; Mon, 15 Oct 2001 03:01:19 +0200 (CEST) Date: Mon, 15 Oct 2001 03:01:19 +0200 From: Cliff Sarginson To: freebsd-questions@FreeBSD.ORG Subject: Re: Firewall and nmap Message-ID: <20011015030119.B2028@raggedclown.net> References: <20011014210232.B1658@raggedclown.net> <20011014163237.H309@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.16i In-Reply-To: <20011014163237.H309@blossom.cjclark.org>; from cristjc@earthlink.net on Sun, Oct 14, 2001 at 04:32:37PM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 14, 2001 at 04:32:37PM -0700, Crist J. Clark wrote: > On Sun, Oct 14, 2001 at 09:02:32PM +0200, Cliff Sarginson wrote: > > Hello, > > I am slowly building up my knowledge of ipfilter in order > > to build as secure a firewall as I can, basically allowing > > everything out and only ssh and smtp in. > > I am testing it locally basically using nmap. Until > > I actually get 24/7 online it is a bit difficult to test > > it from the outside world. I would like to know that > > if a local test using nmap seems to confirm the intentions of > > my rules is that good enough ? > > It depends on what you mean by "local." If it is another machine on > the LAN, that is probably just fine. Yes, sorry, perhaps that was unclear. I meant another machine on the LAN. > If you are running nmap on the > firewall machine itself, it really is not. Processing stuff that never > crosses a "real" interface and comes off of a wire is just not the > same as running stuff over the loopback. > Yes, I appreciate that point. thanks ! > But then again, if you really do not have the facilities to test the > machine in any other way, it is better than nothing. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org -- Regards Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message