suid bit files + securing FreeBSD

[Peter Rosa]

Hello everybody,

I'm a newbie in this list, so I don't know if it's the appropriate place
for my question. Anyway, I'd be happy to find out the solution.

Please, has anyone simple answer for:

I'm looking for an exact list of files, which:
1. MUST have...
2. HAVE FROM BSD INSTALLATION...
3. DO NOT NEED...
4. NEVER MAY...
...the suid-bit set.

Of course, it's no problem to find-out which files ALREADY HAS
suid-bit set. But what files REALLY MUST have it ?
I know generalities, as e.g. shell should never have suid bit set,
but what if someone has copied any shell to some other location
and have set the suid bit ? It's security hole, isn't it ?
And what if I have more such files on my machine ?
It is not about my machine has been compromited, it is only WHAT IF...

--------------------------------------------

Second question is: Has anybody an exact wizard, how to secure
the FreeBSD machine. Imagine the situation, the only person who 
can do anything on that machine is me, and nobody other. I have 
set very restrictive firewalling, I have removed ALL tty's except 
two local tty's (I need to work on that machine), but there are 
still open port 25 and 53 (must be forever), so someone very 
tricky can compromite my machine. 

I'm a little bit paranoic, don't I :-)))))))

Cheers,

Peter Rosa