Date: Sun, 20 Aug 2000 03:11:34 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: Steve Lewis <nepolon@systray.com> Cc: Bill McMilleon <billmcmilleon@home.com>, questions@FreeBSD.ORG Subject: Re: hardening my nat/firewall rules Message-ID: <14751.37558.138117.824578@guru.mired.org> In-Reply-To: <Pine.BSF.4.05.10008192333490.717-100000@greg.ad9.com> References: <14751.2479.923607.828576@guru.mired.org> <Pine.BSF.4.05.10008192333490.717-100000@greg.ad9.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Lewis writes: > On Sat, 19 Aug 2000, Mike Meyer wrote: > > > # I didn't know how to proceed here, but this works for now > > > add allow ip from any to any > > No. Never. The safe behavior is to deny everything you don't > > specifically allow, not to allow everything you don't specifically > > deny. > > Use "add deny log ip from any to any" as the last rule. This turns off > > everything else, and logs what happened. Check the logs regularly. If > > something doesn't work, check the logs to see what's being blocked, > > and then enable that. > while defaulting to deny is safer, that doesn't make any sense to just > replace his rule without forethought because at no point does he > allow/pass any packets IIRC... he always skips to the divert. Now he has > to add rules to allow any packets which were skiped before... THEN he can > add the default deny rule. All correct - you can't replace it without possibly breaking something. On the other hand, doing that replace and watching the log if something fails is the quickest way to find something you had overlooked. This way is safer, which is why it qualifies as "hardening". > am I missing anything? Actually, we both did. If the default is to divert everything to natd, then the default for ipfw doesn't matter. I'd make it "deny all" just because the exposure if you goof is lower. I've not dealt with natd much, so I skipped it. However, in this case I'd say take the same route - deny and log everything you don't explicitly allow. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14751.37558.138117.824578>