From owner-freebsd-security Wed Jun 20 21: 5:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id DDEC537B401 for ; Wed, 20 Jun 2001 21:05:40 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f5L45dI84149; Thu, 21 Jun 2001 10:05:39 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.4/8.11.4) id f5L45dv67737; Thu, 21 Jun 2001 10:05:39 +0600 (YEKST) (envelope-from serg) Date: Thu, 21 Jun 2001 10:05:38 +0600 From: "Sergey N. Voronkov" To: Malcolm Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010621100538.A67676@sv.tech.sibitex.tmn.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from malcolm@ocf.berkeley.edu on Wed, Jun 20, 2001 at 06:18:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > Hi folks, > What do we think about installing IPFilter on non-gateway boxes > and using it to block all incoming traffic except for whatever ports > we want to use on our server (e.g., http, ftp)? > Hi! Go and use it! I have it installed on my servers to limit usage of some services to only local network (such as a rdump. hosts.allow is also set to block unwanted connections. I'm gouing to be realy paranoid one :-). Also "keep state" options helps to reduse some realy stupid traffic - like a scans on TCP/53 (SA flag set). Bye, Serg N. Voronkov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message