From owner-freebsd-hackers  Thu Sep  9 20:14: 4 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from loki.iss.net (loki.iss.net [208.21.0.3])
	by hub.freebsd.org (Postfix) with ESMTP id E6E3D14D00
	for <freebsd-hackers@FreeBSD.ORG>; Thu,  9 Sep 1999 20:14:01 -0700 (PDT)
	(envelope-from bmitchel@iss.net)
Received: from egon.iss.net (egon.iss.net [208.21.4.146])
	by loki.iss.net (8.9.3/8.9.3) with ESMTP id XAA19936;
	Thu, 9 Sep 1999 23:11:52 -0400
Date: Thu, 9 Sep 1999 23:22:41 -0400 (EDT)
From: "Brian Mitchell (ISSATL)" <bmitchel@iss.net>
To: "James E. Housley" <jim@thehousleys.net>
Cc: freebsd-hackers@FreeBSD.ORG
Subject: Re: A Challenge
In-Reply-To: <37D87080.4D44E9C4@thehousleys.net>
Message-ID: <Pine.BSF.4.10.9909092316300.25910-100000@egon.iss.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> I have about 5 years experance with FreeBSD.  I am running it at home
> connected to a cable modem.  My server is fairly secure from the
> outside.  I periodically read and act upon the builins from CERT, etc.
> 
> The box is just going to be running NATD and IPFW, maybe DHCLIENT.

Some suggestions:

dump natd/ipfw, use ipf and ipnat instead so you can use keepstate, which
is very close to a stateful packet filter).

subscribe to bugtraq (http://www.securityfocus.com, it's somewhere in
there).

dont install X, or any other services not absolutely necessary for the
operation of the firewall. Administration should be (ideally) done at
console (no x!)

remove privledges of all executables that you dont require. Enable them on
a case by case basis, if they need to be used for the operation of the
firewall.
 
> Mr. NT is been told he can try and break-in, crash what ever this box
> from the internet side.
> 
> I am asking for links, pointer to make sure this is configured as
> secure/solid as possible.  I will be installing 3.3-STABLE over this
> weekend (9/11/1999).  I really want to make sure we win.

Might want to write chroot() wrappers around all network daemons too.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message