Date: Tue, 28 Aug 2001 16:31:24 +0200 (CEST) From: =?iso-8859-1?q?m=20p?= <sumirati@yahoo.de> To: midiostri@in.gr Cc: questions@freebsd.org Subject: Re: Security ! Message-ID: <20010828143124.34624.qmail@web13304.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
> Hi, > > I'm busy securing our LAN and I need to setup a freebsd 4.3 box that will run > as firewall and protect my vulnerable network from the internet chaos. I also > think of running NAT there too. > > There appear to be quite a lot of hackers and intruders in the wild and I need > to keep them out of my lan. > > I'd appreciate any suggestions or links/references to stuff that can help me > on this. > > Also, are there any scripts that can be run periodically on a computer and > check if there are changes made to files ? > > Thanks, > Dimitri > Hi Dimitri, yes, there are many bad guys outside. Ok. What you want to have is a firewall system. A firewall consist of different systems that have "layered" architecture. System A will only allow some traffic directed to your network System B will only allow "valid" (you define what it is) to the internet. System C will look at the request of your users to block some content. What the system D to Z will do depends on you. For A and B you can try out ipfw - the FreeBSD own IP firewall. Or you can try Mr Reeds ipfilter which is available for many platforms. There are some links in the archive of the mailinglists. Try a search under: http://www.freebsd.org/search/search.html#mailinglists A good tutorial about ipfw was mentioned under: http://renaud.waldura.com/doc/freebsd/firewall/ Looking at www.freebsddiary.org www.daemonnews.org is a good idea too The autor of a book about Linux put up a script online which will give you some rules for ipfw and/or ipfilter to start with: http://www.linux-firewall-tools.com/linux/firewall/index.html Or you can read /etc/rc.firewall on your local system to get some ideas about writing firewall rulesets. For reading I can recommend: Building Internet Firewalls from Zwicky and Chapman The script that will run every night is already in place. It will check some files (with suid-flag set) for changes. If you want to check every (and not only setuid-files) take a look at tripwire. It is in the ports. (cd /usr/ports; make search key=tripwire) The last point to mention is: Follow the RELENG_4_3 (in your case; next release have to RELENG_4_4) cvs-branch. It has all known security bugs fixed. For that you want to read "Staying stable" in the FreeBSD handbook under: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html Good luck Marc __________________________________________________________________ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010828143124.34624.qmail>