From owner-freebsd-security Tue Jan 12 12:32:19 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA07218 for freebsd-security-outgoing; Tue, 12 Jan 1999 12:32:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smarter.than.nu (thought.calbbs.com [207.71.213.16]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07207 for ; Tue, 12 Jan 1999 12:32:16 -0800 (PST) (envelope-from brian@CSUA.Berkeley.EDU) Received: from localhost (localhost [127.0.0.1]) by smarter.than.nu (8.9.1/8.9.1) with ESMTP id MAA13948; Tue, 12 Jan 1999 12:30:14 -0800 (PST) (envelope-from brian@CSUA.Berkeley.EDU) Date: Tue, 12 Jan 1999 12:30:14 -0800 (PST) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: "Jan B. Koum " cc: Patrick Barmentlo , security@FreeBSD.ORG Subject: Re: examples rules ipfw In-Reply-To: <19990112042358.C303@best.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Jan 1999, Jan B. Koum wrote: > [redirect from -hackers to -security] > > On Mon, Jan 11, 1999 at 02:56:44PM -0800, "Brian W. Buchanan" wrote: > > On Mon, 11 Jan 1999, Patrick Barmentlo wrote: > > > > > Can someone please point me out to some good examples for the rc.firewall > > > file (ipfw )?? > > > (with most variant of opties/features...) > > > > > > i have to set up some filtering, but still having some difficulties with > > > it after checking freebsd.org.... > > > > > > add 00501 allow tcp from any to smarter 1024-65535 > > > > This allows all traffic to ports 1024 through 65535 (to let FTP work > > correctly) > > > This is not good! There are way MANY evil things running on ports > greater then 1024. Take X windows (6000), take nfsd (2049). Most of > the insecure solaris rpc crap runs in that range. This list could > go on forever. Well, I have nfsd listening for UDP only, and that's firewalled off earlier; I selectively unfirewall hosts for NFS as a specific need arises. I don't actually have anything running in the 1024+ port range except X11, and you're right, I should firewall that, but otherwise this doesn't introduce any security vulnerabilities into my particular system. For a network firewall, though, that is dangerous, and I agree that passive FTP is the way to go. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message