From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 14:05:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82DA537B401 for ; Thu, 7 Aug 2003 14:05:01 -0700 (PDT) Received: from mail.redstarnetworks.net (www.redstarnetworks.net [216.240.150.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3F7C43FBD for ; Thu, 7 Aug 2003 14:05:00 -0700 (PDT) (envelope-from chris@redstarnetworks.net) Received: (qmail 4718 invoked by uid 85); 7 Aug 2003 21:01:22 -0000 Received: from chris@redstarnetworks.net by colowww.redstarnetworks.net by uid 0 with qmail-scanner-1.16 (clamscan: 0.54. spamassassin: 2.50. Clear:. Processed in 0.639699 secs); 07 Aug 2003 21:01:22 -0000 Received: from unknown (HELO delllaptop) (208.57.57.9) by mail.redstarnetworks.net with SMTP; 7 Aug 2003 21:01:21 -0000 From: "Chris Odell" To: Date: Thu, 7 Aug 2003 13:59:27 -0700 Organization: Red Star Networks, INC Message-ID: <000001c35d26$cd0827b0$0304a8c0@delllaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20030807191926.50590.qmail@web10108.mail.yahoo.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: schalk@home.incredible.com.na Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris@redstarnetworks.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 21:05:01 -0000 But why IPFW? IPF is *BSD native wall. I actually use both - IPF for firewalling, and IPFW for throttling via dummy net. My recommended reading for IPF and IPFW is "Building Linux and OpenBSD Firewalls" and Google for "IPF, host based, web server" If you will like I can send a few examples to show this, as its will be very simple after seeing real world rules. I would be more then happy to help anyone thought this process, and may even write a paper on it. There are plenty of sites that show how to build a nat/ipf router but not really much on localhost based IPF. Chris Odell -----Original Message----- From: twig les [mailto:twigles@yahoo.com] Sent: Thursday, August 07, 2003 12:19 PM To: chris@redstarnetworks.net; freebsd-security@freebsd.org Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] Yes I've had great luck with simple host protection via IPFW, and there is a nice tutorial here: http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html. It's a bit old but I'm using IPFW on several 4.x boxes without any big changes. Sorry I don't have a more definitive answer. --- Chris Odell wrote: > > May I recommend IPF, FreeBSD's firewall daemon? Having this in place > - and yes on localhost, will be more of what you want to > accomplish. You > will also be able to control a whole lot more as far as > traffice to/from > your box. It is very simple to configure, as long as you can > recompile > it in your kernel. > > Just my 2 cents... > > Chris Odell > chris@redstarnetworks.net > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Schalk > Erasmus > Sent: Thursday, August 07, 2003 10:14 AM > To: freebsd-security@freebsd.org > Subject: FreeBSD - Secure by DEFAULT ?? [hosts.allow] > > > Hi, > > I need to know what the implications are to make use of the > hosts.allow file on a FreeBSD Production Server (ISP Setup)? The > reason I'm asking, > is that I've recently decommisioned a Linux SendMail Server to > a FreeBSD > Exim Server, but with no Firewall (IPTABLES) yet. > > Besides the fact that it only runs EXIM and Apache, is it necessary to > Configure rc.Firewall? or can I only make use of the > hosts.allow file? > > Currently I would only like to allow SSH access from my Home Network, > instead of allowing the WORLD. > > I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but > based on the new "Access Control File", it is all merged > together in one > file: > > # hosts.allow access control file for "tcp wrapped" applications. # > $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 > dougb Exp $ > # > > I take that I should allow the other Services, in this order: > > sshd : myhomepc : allow > exim : ALL : allow > httpd : ALL : allow > ftpd : ALL : allow > ALL : ALL : deny > > > What kind of protection does FreeBSD need by Default? Since OpenBSD > goes around saying: "SECURE BY DEFAULT" !? > > Just asking..... > > Regards > > Schalk Erasmus > Incredible Networks > Windhoek, Namibia > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com