From owner-freebsd-security Thu May 16 12: 7:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id D6B7637B40A for ; Thu, 16 May 2002 12:07:48 -0700 (PDT) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id XAA82503; Thu, 16 May 2002 23:06:32 +0400 (MSD) Received: from 217.195.79.7 (IBMKA [217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id KHFVGHVQ; Thu, 16 May 2002 23:06:19 +0400 Date: Thu, 16 May 2002 23:06:32 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <44104033432.20020516230632@internethelp.ru> To: Alexandr Kovalenko Cc: mohammad mirzaeenasir , marcr@closed-networks.com, freebsd-security@FreeBSD.ORG Subject: Re[2]: reply In-reply-To: <20020516182057.GB7239@nevermind.kiev.ua> References: <20020516182057.GB7239@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Alexandr, Thursday, May 16, 2002, 10:20:57 PM, you wrote: AK> Hello, mohammad mirzaeenasir! AK> On Thu, May 16, 2002 at 12:23:52PM +0000, you wrote: >> hi, >> thanks for your reply.I installed a transparent proxy on my machine with >> "ipfw" rules.everything is ok and i tested it.but someone told me that >> if you set your "kernel_secure_level = NO" , all kind of tcp connection >> will ignore by kernel and for example in the case of telneting it , >> it will reply "connection timed out". and i checked it , he was quit >> right.i did so(kernel_secure_level=NO) but when i telnet my unix box, it >> will reply me "connection refused". >> now, plz help me to find out more. AK> It depends on how will you access your machine. If you're accessing via AK> ssh, you should add sshd_enable="YES" to your /etc/rc.conf. Now you AK> should determine which ports do you need to be open. For your case it AK> will be 22 (ssh), 3128 (squid). So you can allow only those ports with AK> ipfw add allow tcp from any to any 22 in recv ed0 AK> ipfw add allow tcp from any 22 to any out xmit ed0 AK> ipfw add allow tcp from any to any 3128 in recv ed0 AK> ipfw add allow tcp from any 3128 to any out xmit ed0 AK> and finally deny all other packets: AK> ipfw deny ip from any to any AK> P.S. securelevel has nothing to do with firewall. Hmm... Not quite nothing. AFAIK on some securelevels you cannot add or delete ipfw rules. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message