From owner-freebsd-security  Sun Aug 19 17:51:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219])
	by hub.freebsd.org (Postfix) with ESMTP id 5C1EA37B410
	for <security@freebsd.org>; Sun, 19 Aug 2001 17:51:40 -0700 (PDT)
	(envelope-from martin@dc.cis.okstate.edu)
Received: from martin (helo=dc.cis.okstate.edu)
	by dc.cis.okstate.edu with local-esmtp (Exim 3.13 #1)
	id 15YdI2-0002Qo-00
	for security@FreeBSD.org; Sun, 19 Aug 2001 19:51:38 -0500
To: security@FreeBSD.org
Subject: Firewall Rule Logic
Date: Sun, 19 Aug 2001 19:51:38 -0500
From: Martin McCormick <martin@dc.cis.okstate.edu>
Message-Id: <E15YdI2-0002Qo-00@dc.cis.okstate.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

	I have set up a system in which incoming email is
disallowed, but outgoing mail permitted.  The rule I wrote is as
follows:

${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu 25

	The rule works fine and blocks incoming smtp mail as well
as producing a line in the log.

	The firewall passes all ports except this one right now,
but I want to invert the logic and deny  and log anything
not expressly permitted.  I am asking the question before I
succeed in locking myself out.

	Can I put a line at the end of the rule chain that goes
something like:

${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu all
and then put one rule per allowed port in to open up just those
ports that we need?

	The system will be a name server as well as a dhcp server
and nobody needs to be trying to start web sessions or be beating on
it for other services except dns, dhcp and ssh.  That's it for
now with the possible exception of snmp, later.  I have lists of
the low-numbered ports, but I want to make sure this logic is
correct before I make my life a lot more trouble for a while as
the local console is a bit hard to get to.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Center for Computing and Information Services Data Communications Group

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message