Date: Fri, 14 Jun 2002 19:59:20 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: John Newlin <jnewlin@tsoft.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw and other security questions Message-ID: <20020614194545.X34605-100000@localhost> In-Reply-To: <200206142142.OAA28697@shell.tsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 14 Jun 2002, John Newlin wrote: > Hi, > > I have a very simple setup at home. One static IP that my wife and I share, > so I setup a computer running FreeBSD to do NAT via natd. > > This setup is replacing a Linux config that was hacked into > via some buffer overflow bug in sshd (my fault for not keeping > up with patches.) > > It is currently up and running, but I'm a little bit concerned > over security, and also I don't quite understand some things. > Maybe someone can help me out. > > > 1) What is the difference between natd, and ipnat. I see natd > runs in user-land, and ipnat appears to do the same sorts of > things but is compiled into the kernel. They are two ways of doing NAT. If you use IPFilter for filtering, you use ipnat. If you use ipfw, you use natd. Personally, I prefer ipnat, but they are both very good. > > 2) I'm setting up some simple firewall rules. I see through sysctl > that there a 3 different sets of port ranges. Can someone explain > where these 3 different sets of ranges are used: > net.inet.ip.portrange.lowfirst: 1023 > net.inet.ip.portrange.lowlast: 600 These are the port ranges for apps which need a "privileged port" to connect. rlogin is an example. ssh with shosts auth is another one. > net.inet.ip.portrange.first: 1024 > net.inet.ip.portrange.last: 5000 These are the "random" ports you get when you are trying to connect to a remote server. These are the ports a browser, telnet client, ftp client get when are connected to a remote server. > net.inet.ip.portrange.hifirst: 49152 > net.inet.ip.portrange.hilast: 65535 I don't remember well, but I seem to recall these are used to tweak FTP behavior, in which random port the ftpd opens a listening socket in passive mode. They look simmilar to the previous ones, but for servers. > > 3) I've turned off all services except for sshd (which is running > on a non-standard port. What portranges should I open up access > to from my internal net? I'm assuming that this is somehow > related to the above ranges in some fashion. > > 4) Why is sysylog listening on a udp port? :) > If you dont log to a remote syslogd, start it with -ss. > > 5) chflags and schg. Does anyone really lock stuff down with this? > and if so, what files? every system binary, library, script *and the directories they are in*. Raise the securelevel or you won't be buying that much. > > > I'm sure I will have more, > > Thanks, > > -John > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020614194545.X34605-100000>