From owner-freebsd-security  Sun Mar 28 12:14: 0 1999
Delivered-To: freebsd-security@freebsd.org
Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179])
	by hub.freebsd.org (Postfix) with ESMTP id E1B6614C48
	for <freebsd-security@freebsd.org>; Sun, 28 Mar 1999 12:13:51 -0800 (PST)
	(envelope-from fbsd-security@ursine.com)
Received: from michael (lambda.ursine.com [209.133.45.69])
	by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id MAA32091;
	Sun, 28 Mar 1999 12:13:19 -0800 (PST)
	(envelope-from fbsd-security@ursine.com)
Message-ID: <199903281213260190.4BEF77D0@quaggy.ursine.com>
In-Reply-To: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il>
References: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il>
X-Mailer: Calypso Evaluation Version 3.00.00.13 (2)
Date: Sun, 28 Mar 1999 12:13:26 -0800
From: "Michael Bryan" <fbsd-security@ursine.com>
To: "Noor Dawod" <noor@NetVision.net.il>
Cc: freebsd-security@freebsd.org
Subject: Re: ipfw behavior, is it normal?
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On 3/28/99 at 2:23 PM Noor Dawod wrote:
>
>  My current ipfw rules are:
>
>-----------------------------------------------------------------
>00100 allow ip from any to any via lo0
>00200 allow ip from [machine-a-ip] to [server-ip] via xl0
>00300 allow ip from [machine-b-ip] to [server-ip] via xl0
>00400 allow ip from any to [server-ip] 80 in via xl0
>00500 allow ip from any to [server-ip] 21 in via xl0
>65000 allow ip from any to any
>65535 deny ip from any to any
>-----------------------------------------------------------------

If you remove rule 65000, then you have no rules to allow any
traffic -out- of your system.  If you wanted to fully open up
traffic to machine-a and machine-b, then you could have
these rules:

00250 allow ip from [server-ip] to [machine-a-ip] via xl0
00350 allow ip from [server-ip] to [machine-b-ip] via xl0

Similarly, you need counterparts to rules 400 and 500 for
the outbound side.  (You should also be specifying "tcp"
in those rules, not "ip".)  The http port is easy enough:

00450 allow tcp from [server-ip] 80 to any out via xl0

(Assuming you're using a single IP address and a single
port with your HTTP server, of course.)

FTP access is a little trickier, thanks to the data port
used by FTP, and the issues of active vs passive FTP.
I'd recommend looking at a good firewall security book,
such as the O'Reily book.  (www.ora.com)  There are a
number of ways to open up FTP access, each with their
own set of pros and cons.


Michael Bryan
fbsd-security@ursine.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message