Running processes...

Kevin D. Kinsey, DaleCo, S.P. kdk at daleco.biz
Sat Feb 14 09:52:52 PST 2004


Eric F Crist wrote:

>On Saturday 14 February 2004 10:26 am, JJB wrote:
>  
>
>>This port map is only showing you what ports are open to accept
>>start requests from the public internet. Looks like you are using
>>IPFW with stateless rules which just provides an  very basic level
>>of security. Use stateful rules with 'out' and 'via' keywords to
>>separate your firewall into out bound control where you allow all
>>these ports listed below out to the public internet. Then for the
>>inbound side use stateful rules with 'in' and 'via' keywords
>>allowing in only the ports that you have servers running on. That
>>will close all those listed ports to inbound availability. If you
>>have LAN behind your gateway and using ipfw with divert rule legacy
>>sub-routine call to userland Natd then stateful rules do not work
>>because of legacy bug in basic concept design of this process.  Use
>>IPFILTER, it's stateful rules work in Nated environment and as such
>>provides an much highter level of security than IPFW can provide in
>>an Nated environment.  I have IPFILTER sample rule set if you are
>>interested.
>>    
>>
>
>Thanks for the reply.  This is not a nated environment.  For the time being, 
>I've got DSL with a /29 network.  I'm running DNS, Mail, etc right from my 
>own box.  I guess my question was, what are those two services I listed?  
>Submission and hp-alrm-mgr?  Are there any ipfw rules that I SHOULD set?  
>Here's my current ruleset:
>
>00100 1622 256612 allow ip from any to any via lo0
>00200    0      0 deny ip from any to 127.0.0.0/8
>00300    0      0 deny ip from 127.0.0.0/8 to any
>00600 3931 501305 allow ip from any to any
>65535    0      0 deny ip from any to any
>
>This is obviously an very wide-open server right now.  I'm guessing I should 
>add some rules like the following?
>
>change 0600 to allow ip from any to any established
>add allow ip from any to <server ip address> port <mail>
>add allow ip from any to <server ip address> port <ftp>
>add allow ip from any to <server ip address> port <irc1>
>add allow ip from any to <server ip address> port <irc2>
>add allow ip from any to <server ip address> port <irc3>
>add allow ip from any to <server ip address> port <ssh>
>add allow ip from any to <server ip address> port <dns>
>add allow ip from any to <server ip address> port <110>
>add allow ip from any to <server ip address> port <443>
>add deny ip from any to <server ip address> via dc0 port <mysql>
>add deny ip from any to <server ip address>
>
>The mysql, I assume, since the only thing accessing it should be my local web 
>server, I don't need it to have public (inet) access?
>
>  
>
Sample FTP/SMTP/DNS/HTTP entry:

    add allow tcp from any to {$me} in via ${oif} 22 setup
    add allow tcp from any to {$me} in via ${oif} 25 setup
    add allow tcp from any to {$me} in via ${oif} 53 setup
    add allow tcp from any to {$me} in via ${oif} 80 setup

These must be paired with, later in list:

    add allow tcp from any to {$me} established


HTH,

Kevin Kinsey


More information about the freebsd-questions mailing list