Running processes...
Eric F Crist
ecrist at adtechintegrated.com
Sat Feb 14 08:46:10 PST 2004
On Saturday 14 February 2004 10:26 am, JJB wrote:
> This port map is only showing you what ports are open to accept
> start requests from the public internet. Looks like you are using
> IPFW with stateless rules which just provides an very basic level
> of security. Use stateful rules with 'out' and 'via' keywords to
> separate your firewall into out bound control where you allow all
> these ports listed below out to the public internet. Then for the
> inbound side use stateful rules with 'in' and 'via' keywords
> allowing in only the ports that you have servers running on. That
> will close all those listed ports to inbound availability. If you
> have LAN behind your gateway and using ipfw with divert rule legacy
> sub-routine call to userland Natd then stateful rules do not work
> because of legacy bug in basic concept design of this process. Use
> IPFILTER, it's stateful rules work in Nated environment and as such
> provides an much highter level of security than IPFW can provide in
> an Nated environment. I have IPFILTER sample rule set if you are
> interested.
Thanks for the reply. This is not a nated environment. For the time being,
I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my
own box. I guess my question was, what are those two services I listed?
Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set?
Here's my current ruleset:
00100 1622 256612 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00600 3931 501305 allow ip from any to any
65535 0 0 deny ip from any to any
This is obviously an very wide-open server right now. I'm guessing I should
add some rules like the following?
change 0600 to allow ip from any to any established
add allow ip from any to <server ip address> port <mail>
add allow ip from any to <server ip address> port <ftp>
add allow ip from any to <server ip address> port <irc1>
add allow ip from any to <server ip address> port <irc2>
add allow ip from any to <server ip address> port <irc3>
add allow ip from any to <server ip address> port <ssh>
add allow ip from any to <server ip address> port <dns>
add allow ip from any to <server ip address> port <110>
add allow ip from any to <server ip address> port <443>
add deny ip from any to <server ip address> via dc0 port <mysql>
add deny ip from any to <server ip address>
The mysql, I assume, since the only thing accessing it should be my local web
server, I don't need it to have public (inet) access?
--
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040214/c69251b3/attachment.bin
More information about the freebsd-questions
mailing list