Date: Sat, 14 Feb 2004 10:45:52 -0600 From: Eric F Crist <ecrist@adtechintegrated.com> To: <Barbish3@adelphia.net> Cc: FreeBSD questions List <freebsd-questions@freebsd.org> Subject: Re: Running processes... Message-ID: <200402141046.04388.ecrist@adtechintegrated.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGIEBFFLAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGIEBFFLAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_MDlLAlZ9ce68zw5 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 14 February 2004 10:26 am, JJB wrote: > This port map is only showing you what ports are open to accept > start requests from the public internet. Looks like you are using > IPFW with stateless rules which just provides an very basic level > of security. Use stateful rules with 'out' and 'via' keywords to > separate your firewall into out bound control where you allow all > these ports listed below out to the public internet. Then for the > inbound side use stateful rules with 'in' and 'via' keywords > allowing in only the ports that you have servers running on. That > will close all those listed ports to inbound availability. If you > have LAN behind your gateway and using ipfw with divert rule legacy > sub-routine call to userland Natd then stateful rules do not work > because of legacy bug in basic concept design of this process. Use > IPFILTER, it's stateful rules work in Nated environment and as such > provides an much highter level of security than IPFW can provide in > an Nated environment. I have IPFILTER sample rule set if you are > interested. Thanks for the reply. This is not a nated environment. For the time being= ,=20 I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my= =20 own box. I guess my question was, what are those two services I listed? =20 Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set? =20 Here's my current ruleset: 00100 1622 256612 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00600 3931 501305 allow ip from any to any 65535 0 0 deny ip from any to any This is obviously an very wide-open server right now. I'm guessing I shoul= d=20 add some rules like the following? change 0600 to allow ip from any to any established add allow ip from any to <server ip address> port <mail> add allow ip from any to <server ip address> port <ftp> add allow ip from any to <server ip address> port <irc1> add allow ip from any to <server ip address> port <irc2> add allow ip from any to <server ip address> port <irc3> add allow ip from any to <server ip address> port <ssh> add allow ip from any to <server ip address> port <dns> add allow ip from any to <server ip address> port <110> add allow ip from any to <server ip address> port <443> add deny ip from any to <server ip address> via dc0 port <mysql> add deny ip from any to <server ip address> The mysql, I assume, since the only thing accessing it should be my local w= eb=20 server, I don't need it to have public (inet) access? =2D-=20 Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 --Boundary-02=_MDlLAlZ9ce68zw5 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBALlDMzdyDbTMRQIYRApeiAKDDwrvTAcXgd4ujKouxU/vCUvc/OACfQVmX tHAmaFiOWlo7UP9c4p+3V/E= =HEGn -----END PGP SIGNATURE----- --Boundary-02=_MDlLAlZ9ce68zw5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402141046.04388.ecrist>