On Saturday 14 February 2004 10:26 am, JJB wrote:Sample FTP/SMTP/DNS/HTTP entry:
This port map is only showing you what ports are open to accept
start requests from the public internet. Looks like you are using
IPFW with stateless rules which just provides an very basic level
of security. Use stateful rules with 'out' and 'via' keywords to
separate your firewall into out bound control where you allow all
these ports listed below out to the public internet. Then for the
inbound side use stateful rules with 'in' and 'via' keywords
allowing in only the ports that you have servers running on. That
will close all those listed ports to inbound availability. If you
have LAN behind your gateway and using ipfw with divert rule legacy
sub-routine call to userland Natd then stateful rules do not work
because of legacy bug in basic concept design of this process. Use
IPFILTER, it's stateful rules work in Nated environment and as such
provides an much highter level of security than IPFW can provide in
an Nated environment. I have IPFILTER sample rule set if you are
interested.
Thanks for the reply. This is not a nated environment. For the time being, I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my own box. I guess my question was, what are those two services I listed? Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set? Here's my current ruleset:
00100 1622 256612 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00600 3931 501305 allow ip from any to any 65535 0 0 deny ip from any to any
This is obviously an very wide-open server right now. I'm guessing I should add some rules like the following?
change 0600 to allow ip from any to any established add allow ip from any to <server ip address> port <mail> add allow ip from any to <server ip address> port <ftp> add allow ip from any to <server ip address> port <irc1> add allow ip from any to <server ip address> port <irc2> add allow ip from any to <server ip address> port <irc3> add allow ip from any to <server ip address> port <ssh> add allow ip from any to <server ip address> port <dns> add allow ip from any to <server ip address> port <110> add allow ip from any to <server ip address> port <443> add deny ip from any to <server ip address> via dc0 port <mysql> add deny ip from any to <server ip address>
The mysql, I assume, since the only thing accessing it should be my local web server, I don't need it to have public (inet) access?
add allow tcp from any to {$me} in via ${oif} 22 setup
add allow tcp from any to {$me} in via ${oif} 25 setup
add allow tcp from any to {$me} in via ${oif} 53 setup
add allow tcp from any to {$me} in via ${oif} 80 setupThese must be paired with, later in list:
add allow tcp from any to {$me} established
HTH,
Kevin Kinsey _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
