Date: Tue, 29 Jun 2004 13:28:29 -0500 From: Ben Timby <asp@webexc.com> To: Peter Zyumbilev <peter@hostmansion.com> Cc: questions@freebsd.org Subject: Re: firewall for web server Message-ID: <40E1B4CD.3070604@webexc.com> In-Reply-To: <38256.194.39.131.39.1088401582.squirrel@194.39.131.39> References: <38256.194.39.131.39.1088401582.squirrel@194.39.131.39>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter, choose your firewall software, with a host firewall (what you are looking for, not a network firewall) the features you need will be limited. Find a howto on using that firewall package. The only difference between what you want and what most howtos provide instructions for is the ruleset. You will probably want rules like the following: -- block in log all (default deny stance). block out log all (default deny stance). allow in tcp port 80 SYN/SYN+ACK keep state (only allow new connections and established ones to httpd). allow in tcp port 22 SYN/SYN+ACK from host <your remote network here> keep state (only allow new connections and established ones to sshd). allow out tcp src port > 1024 dest port < 1024 keep state (only allow new connections and established ones to "server" ports from "client" ports). -- Modify for your firewall package and to suit your needs. Something simple like the above is probably all you need. I personally have used ipfilter in the past with good success, but I currently use pf, which is ported from OpenBSD, and is the most excellent firewall package I have ever used. The rule preprocessor makes writing rules a breeze. I will not use any other firewall package again as long as pf is a choice. Hope that helps. Peter Zyumbilev wrote: > Hello, > > Do you know some good tutorial for bulding firewall for FreeBSD as web > server. I found a lot of tutorials but for FreeBSD as router. > Some commented premade script with comments will also do the job. > I was plannding to use APF, but I am afarid to install it on FreeBSD > without good tutorial. > Please advise. > > Best regards, > > Peter > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40E1B4CD.3070604>