Date: Sun, 19 Aug 2001 19:51:38 -0500 From: Martin McCormick <martin@dc.cis.okstate.edu> To: security@FreeBSD.org Subject: Firewall Rule Logic Message-ID: <E15YdI2-0002Qo-00@dc.cis.okstate.edu>
next in thread | raw e-mail | index | archive | help
I have set up a system in which incoming email is
disallowed, but outgoing mail permitted. The rule I wrote is as
follows:
${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu 25
The rule works fine and blocks incoming smtp mail as well
as producing a line in the log.
The firewall passes all ports except this one right now,
but I want to invert the logic and deny and log anything
not expressly permitted. I am asking the question before I
succeed in locking myself out.
Can I put a line at the end of the rule chain that goes
something like:
${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu all
and then put one rule per allowed port in to open up just those
ports that we need?
The system will be a name server as well as a dhcp server
and nobody needs to be trying to start web sessions or be beating on
it for other services except dns, dhcp and ssh. That's it for
now with the possible exception of snmp, later. I have lists of
the low-numbered ports, but I want to make sure this logic is
correct before I make my life a lot more trouble for a while as
the local console is a bit hard to get to.
Martin McCormick WB5AGZ Stillwater, OK
OSU Center for Computing and Information Services Data Communications Group
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E15YdI2-0002Qo-00>