Date: Thu, 4 Mar 2004 02:16:03 +0100 From: Danny Pansters <danny@ricin.com> To: freebsd-questions@freebsd.org Subject: Re: ipfw rules Message-ID: <200403040216.03105.danny@ricin.com> In-Reply-To: <40467B85.9070302@shaw.ca> References: <40467B85.9070302@shaw.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 04 March 2004 01:42, RYAN vAN GINNEKEN wrote: > I know this has probably been posted 1000's of times but i would like to > set up a ipfw firewall i run many services on this machine. It acts as a > gateway for my network > APACHE web server 80/TCP and perhaps 443/TCP > IMAP mail server 143/TCP > SMTP mail server 25/TCP > BIND name server 53/UDP for xfers 53/TCP > FTP server 21/TCP 20/TCP maybe (I use ipf but the principles are the same) - block in/out packages you never want to see at all (e.g. with weird opts or too short to be normal) - block in anything from your own IP - block in anything from private addresses (you can get and update lists of these) - let no broadcasting packets come in or go out even on wrong bcast addresses - block in (and log) everything else except: - your services on their ports keep state and with proxy if needed (ftp?) - let everything outward go and keep state or: - let nothing out except what you may initialize (and keep state) e.g. web traffic, mail retrieval, etc. More cumbersome. - decide on ping etc, what do you want to come in and what ICMP do you want to respond to - send out resets rather than ICMP-no-answer or whatever it's called on blocked ports Keep huge big logs at first, then later strip out what you know means no harm. I don't know about VNC. HTH, Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403040216.03105.danny>