Date: Fri, 12 Oct 2001 21:27:03 +0200 From: Alson van der Meulen <alm@flutnet.org> To: freebsd-questions@freebsd.org Subject: Re: How to protect binding to interface ? Message-ID: <20011012212703.C21997@md2.mediadesign.nl> In-Reply-To: <20011012143125.G4157@brained.org> References: <20011010214156.B27378@brained.org> <20011012143031.B21997@md2.mediadesign.nl> <20011012143125.G4157@brained.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 12, 2001 at 02:31:25PM -0400, Simon Perkins wrote: > On Fri, Oct 12, 2001 at 02:30:31PM +0200, Alson van der Meulen wrote: > > On Wed, Oct 10, 2001 at 09:41:56PM -0400, Simon Perkins wrote: > > > Hi, > > > > > > I am learning freeBSD and wanted to know if there is any means in > > > freeBSD to prevent non-root users to bind to public interfaces or > > > maybe something which even makes the public network interfaces > > > invisible to them. Can anybody point me in right direction ? > > try something like: > > allow tcp from any to any in via fxp0 setup uid root > > reset tcp from any to any in via fxp0 setup > > (where fxp0 is your public interface) > > > > I think that is a workable solution. I think I stated my question wrongly. > What I need is *remote* users not to see public interfaces (bind to them). Do you mean 'users logged in thru ssh from a remote location'? or 'users on other remote computers making a tcp connection to me'? If it's the latter, it's not called binding to an interface, but just packet filtering/firewalling. So I assume you mean the former definition. What do you mean with 'not seeing public interfaces'? see the interface using /sbin/ifconfig? There's IMHO not very much secret information in that, except your IP address, MAC address, ethernet card make, etc. But your IP address will be known anyway if they connect to your computer. > > I think the solution is to forward ssh connection to internal host on private > network. Am I going in right direction ? That's also a solution, since only forwarded ports would be accessable from the outside. If you've an other box to NAT, this is probably the easiest to setup and safest solution. -- ,-------------------------------------------. > Name: Alson van der Meulen < > Personal: alson@flutnet.org < > School: alson@gymnasiumleiden.nl < `-------------------------------------------' You can do this patch with the system up... --------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011012212703.C21997>