Date: Sat, 22 Sep 2001 11:08:58 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: Chip <chip@wiegand.org> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: security and firewall Message-ID: <20010922105325.B30038-100000@cactus.fi.uba.ar> In-Reply-To: <01092117533704.84922@chip.wiegand.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Sep 2001, Chip wrote: > I have a fbsd 4.0 box running nothing but natd/ipfw, and it appears to be > fairly secure - I ran nmap against it from another fbsd box outside my > network and it shows only the sunrpc port 111 open. I have added to my ipfw > rules a rule that explicity denies port 111. I have also disabled inetd and > yet get the following udp ports showing as open - 111, 514, 520. The UDP scannings may give you a lot of false positives, because it relies in you *not* returning an answer if the port is open. If you drop the packet on the floor instead of returning an icmp port unreach, nmap asumes the port is open. To be sure, run sockstat in the firewall. Port 111 is portmapper. Shut it down, and add "portmap_enable=NO" to your rc.conf. Port 514 is syslog, restart it with -ss, so it won't open any network sockets. port 520 is the routed. If you don't need any dynamic routing protocols, shut it down. If you are asking if you need it or don't, shut it down =0). > > Now my question - Just what can I do to tighten my security? To make sure my > machine isn't used as a relay, or just general protection? Is there some web > pages that cover this basic security stuff someone can point me to? For firewall configuration, I recommend "Building Internet Firewalls, 2d Ed", by Chapman et al, O'Reilly. For anty relay measures, the default sendmail.cf shipped with FreeBSD denies relaying by default. You can go to www.sendmail.org and read the configuration pages about relaying. Hope this helps. Fer > > -- > Chip W. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010922105325.B30038-100000>