From owner-freebsd-security Wed Feb 27 2:35: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 512F537B405 for ; Wed, 27 Feb 2002 02:34:58 -0800 (PST) Received: (qmail 78943 invoked by uid 1000); 27 Feb 2002 10:34:56 -0000 Date: Wed, 27 Feb 2002 11:34:56 +0100 From: Bart Matthaei To: Geert Houben Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <20020227113456.L62131@heresy.dreamflow.nl> References: <3C7CB173.5F5A9837@hict.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IbVRjBtIbJdbeK1C" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C7CB173.5F5A9837@hict.nl>; from sec@hict.nl on Wed, Feb 27, 2002 at 11:14:11AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IbVRjBtIbJdbeK1C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote: [snip] Correct me if im wrong. The easiest way of achieving this is to deny everything coming from your internal net by default, and set up rules to allow certain services, like ssh.=20 Example: # allow established connections ( remote host -> source port on client ) ipfw add pass all from any to any established =20 ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh ipfw add pass tcp from any to any 80 recv $internal_nic # allow http ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp ipfw add deny all from any to any recv $internal_nic You'll get a pretty long set of firewallrules, but that doesn't matter. You should also decide if you want your internal net to have public or private ipspace (and if private, using ipnat or natd: natd runs in userland, so thats no option for large networks (imho). ipnat runs in la kernel, so it performs better for large nets. ). Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --IbVRjBtIbJdbeK1C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8fLZQgcc6pR+tCegRAluyAJ9GDTKQDsuibrY/g+EHYpsXQMhbSACgx4pZ YII51AaObwFKUNnOjZ2H148= =t2DO -----END PGP SIGNATURE----- --IbVRjBtIbJdbeK1C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message