From owner-freebsd-security Thu May 16 11:21:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (freebsddiary.org.ua [213.186.199.26]) by hub.freebsd.org (Postfix) with ESMTP id A894337B406 for ; Thu, 16 May 2002 11:21:29 -0700 (PDT) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.3/8.12.2) with ESMTP id g4GIKvS7007553; Thu, 16 May 2002 21:21:02 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.3/8.12.3/Submit) id g4GIKv5b007552; Thu, 16 May 2002 21:20:57 +0300 (EEST) Date: Thu, 16 May 2002 21:20:57 +0300 From: Alexandr Kovalenko To: mohammad mirzaeenasir Cc: marcr@closed-networks.com, freebsd-security@FreeBSD.ORG Subject: Re: reply Message-ID: <20020516182057.GB7239@nevermind.kiev.ua> References: Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, mohammad mirzaeenasir! On Thu, May 16, 2002 at 12:23:52PM +0000, you wrote: > hi, > thanks for your reply.I installed a transparent proxy on my machine with > "ipfw" rules.everything is ok and i tested it.but someone told me that > if you set your "kernel_secure_level = NO" , all kind of tcp connection > will ignore by kernel and for example in the case of telneting it , > it will reply "connection timed out". and i checked it , he was quit > right.i did so(kernel_secure_level=NO) but when i telnet my unix box, it > will reply me "connection refused". > now, plz help me to find out more. It depends on how will you access your machine. If you're accessing via ssh, you should add sshd_enable="YES" to your /etc/rc.conf. Now you should determine which ports do you need to be open. For your case it will be 22 (ssh), 3128 (squid). So you can allow only those ports with ipfw add allow tcp from any to any 22 in recv ed0 ipfw add allow tcp from any 22 to any out xmit ed0 ipfw add allow tcp from any to any 3128 in recv ed0 ipfw add allow tcp from any 3128 to any out xmit ed0 and finally deny all other packets: ipfw deny ip from any to any P.S. securelevel has nothing to do with firewall. -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message