On Thursday 04 March 2004 01:42, RYAN vAN GINNEKEN wrote: > I know this has probably been posted 1000's of times but i would like to > set up a ipfw firewall i run many services on this machine. It acts as a > gateway for my network > APACHE web server 80/TCP and perhaps 443/TCP > IMAP mail server 143/TCP > SMTP mail server 25/TCP > BIND name server 53/UDP for xfers 53/TCP > FTP server 21/TCP 20/TCP maybe
(I use ipf but the principles are the same) - block in/out packages you never want to see at all (e.g. with weird opts or too short to be normal) - block in anything from your own IP - block in anything from private addresses (you can get and update lists of these) - let no broadcasting packets come in or go out even on wrong bcast addresses - block in (and log) everything else except: - your services on their ports keep state and with proxy if needed (ftp?) - let everything outward go and keep state or: - let nothing out except what you may initialize (and keep state) e.g. web traffic, mail retrieval, etc. More cumbersome. - decide on ping etc, what do you want to come in and what ICMP do you want to respond to - send out resets rather than ICMP-no-answer or whatever it's called on blocked ports Keep huge big logs at first, then later strip out what you know means no harm. I don't know about VNC. HTH, Dan _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
