Date: Thu, 10 Jun 1999 16:52:24 -0400 From: "David E. Cross" <crossd@cs.rpi.edu> To: Alexey Ryndin <alfapri@cityline.ru> Cc: hackers@FreeBSD.ORG, crossd@cs.rpi.edu Subject: Re: restrict connection Message-ID: <199906102052.QAA58410@cs.rpi.edu> In-Reply-To: Message from Alexey Ryndin <alfapri@cityline.ru> of "Thu, 10 Jun 1999 23:27:39 %2B0400." <376011AA.606CEA2D@cityline.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
We have similiar restraints for a certain number of our machines, we have solved this problem by using FreeBSD's built in firewall (just add 'options IPFIREWALL' to your kernel config script). Here is a *very* simple firewall config to do some such restrictions): You may note that there are mutliple accept lines for this, this is done to allow good security and logging for each connection; without these mutliple steps an attacker could determine what services you are running by forging TCP packets to make it look like connections are already there... add 100 allow all from any to any via lo0 #standard rule for lo0 #log and allow standard telnet from IP1 *only*, and only from IF1 interface add 200 allow log tcp from IP1 to HOSTIP 23 setup in recv IF1 add 200 allow tcp from IP1 to HOSTIP 23 in recv IF1 add 200 allow tcp from HOSTIP 23 to IP1 out xmit IF1 add 200 deny log tcp from any to HOSTIP 23 #Allow ssh connects from a secured subnet add 300 allow log tcp from NET1/NET1MASK to HOSTIP 22 setup in recv IF1 add 300 allow tcp from NET1/NET1MASK to HOSTIP 22 in recv IF1 add 300 allow tcp from HOSTIP 22 to NET1/NET1MASK out xmit IF1 add 300 deny log tcp from any to HOSTIP 23 Wash, rinse, and repeat for your other services. FTP will be a bit tricky since it is a 2-way communication, but I have done it, you just open up a set of ports in the 4000-5000 range, and make sure nothing ever runs on them, and they are outbound connections only, accept only "established" packets in on them. The OS will bind to the first port that it can, and for me so far that has taken into account firewall rules. -- David Cross | email: crossd@cs.rpi.edu Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~crossd Rensselaer Polytechnic Institute, | Ph: 518.276.2860 Department of Computer Science | Fax: 518.276.4033 I speak only for myself. | WinNT:Linux::Linux:FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906102052.QAA58410>