From owner-freebsd-questions@FreeBSD.ORG Tue Jun 29 18:29:48 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1664F16A4CE for ; Tue, 29 Jun 2004 18:29:48 +0000 (GMT) Received: from wxinmail01.webexc.com (wxinmail01.webexc.com [209.43.0.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7D5F43D31 for ; Tue, 29 Jun 2004 18:29:47 +0000 (GMT) (envelope-from asp@webexc.com) Received: from localhost (localhost [127.0.0.1]) by wxinmail01.webexc.com (Postfix) with ESMTP id 3185C7C5A2; Tue, 29 Jun 2004 13:29:44 -0500 (EST) Received: from wxinmail01.webexc.com ([127.0.0.1]) by localhost (wxinmail01.webexc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27065-05; Tue, 29 Jun 2004 13:29:43 -0500 (EST) Received: from [10.0.3.96] (exacttarget-21.iquest.net [209.43.38.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by wxinmail01.webexc.com (Postfix) with ESMTP id BBFF07C5C6; Tue, 29 Jun 2004 13:29:42 -0500 (EST) Message-ID: <40E1B4CD.3070604@webexc.com> Date: Tue, 29 Jun 2004 13:28:29 -0500 From: Ben Timby User-Agent: Mozilla Thunderbird 0.7 (Windows/20040616) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Zyumbilev References: <38256.194.39.131.39.1088401582.squirrel@194.39.131.39> In-Reply-To: <38256.194.39.131.39.1088401582.squirrel@194.39.131.39> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by ClamAV (via amavisd-new) on wxinmail01.webexc.com X-Spam-Status: No, hits=0.0 tagged_above=-999.0 required=5.8 tests= X-Spam-Level: cc: questions@freebsd.org Subject: Re: firewall for web server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 18:29:48 -0000 Peter, choose your firewall software, with a host firewall (what you are looking for, not a network firewall) the features you need will be limited. Find a howto on using that firewall package. The only difference between what you want and what most howtos provide instructions for is the ruleset. You will probably want rules like the following: -- block in log all (default deny stance). block out log all (default deny stance). allow in tcp port 80 SYN/SYN+ACK keep state (only allow new connections and established ones to httpd). allow in tcp port 22 SYN/SYN+ACK from host keep state (only allow new connections and established ones to sshd). allow out tcp src port > 1024 dest port < 1024 keep state (only allow new connections and established ones to "server" ports from "client" ports). -- Modify for your firewall package and to suit your needs. Something simple like the above is probably all you need. I personally have used ipfilter in the past with good success, but I currently use pf, which is ported from OpenBSD, and is the most excellent firewall package I have ever used. The rule preprocessor makes writing rules a breeze. I will not use any other firewall package again as long as pf is a choice. Hope that helps. Peter Zyumbilev wrote: > Hello, > > Do you know some good tutorial for bulding firewall for FreeBSD as web > server. I found a lot of tutorials but for FreeBSD as router. > Some commented premade script with comments will also do the job. > I was plannding to use APF, but I am afarid to install it on FreeBSD > without good tutorial. > Please advise. > > Best regards, > > Peter > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"