Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 May 2002 23:06:32 +0400
From:      "Nickolay A. Kritsky" <nkritsky@internethelp.ru>
To:        Alexandr Kovalenko <never@nevermind.kiev.ua>
Cc:        mohammad mirzaeenasir <hezare3@hotmail.com>, marcr@closed-networks.com, freebsd-security@FreeBSD.ORG
Subject:   Re[2]: reply
Message-ID:  <44104033432.20020516230632@internethelp.ru>
In-Reply-To: <20020516182057.GB7239@nevermind.kiev.ua>
References:  <F9Mv2bKuX5TEMoUBuao00002523@hotmail.com> <20020516182057.GB7239@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello Alexandr,

Thursday, May 16, 2002, 10:20:57 PM, you wrote:

AK> Hello, mohammad mirzaeenasir!

AK> On Thu, May 16, 2002 at 12:23:52PM +0000, you wrote:

>> hi,
>> thanks for your reply.I installed a transparent proxy on my machine with
>> "ipfw" rules.everything is ok and i tested it.but someone told me that
>> if you set your "kernel_secure_level = NO" , all kind of tcp connection
>> will ignore by kernel and  for example in the case of telneting it ,
>> it will reply "connection timed out". and i checked it , he was quit
>> right.i did so(kernel_secure_level=NO) but when i telnet my unix box, it
>> will reply me "connection refused".
>> now, plz help me to find out more.

AK> It depends on how will you access your machine. If you're accessing via
AK> ssh, you should add sshd_enable="YES" to your /etc/rc.conf. Now you
AK> should determine which ports do you need to be open. For your case it
AK> will be 22 (ssh), 3128 (squid). So you can allow only those ports with
AK> ipfw add allow tcp from any to any 22 in recv ed0
AK> ipfw add allow tcp from any 22 to any out xmit ed0
AK> ipfw add allow tcp from any to any 3128 in recv ed0
AK> ipfw add allow tcp from any 3128 to any out xmit ed0

AK> and finally deny all other packets:
AK> ipfw deny ip from any to any

AK> P.S. securelevel has nothing to do with firewall.

Hmm... Not quite nothing.
AFAIK on some securelevels you cannot add or delete ipfw rules.

;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44104033432.20020516230632>