Re: best firewall option for FreeBSD

From: Bart Matthaei (bart@dreamflow.nl)
Date: 02/27/02 

Date: Wed, 27 Feb 2002 11:34:56 +0100
From: Bart Matthaei <bart@dreamflow.nl>
To: Geert Houben <sec@hict.nl>

On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote:
[snip]

Correct me if im wrong.

The easiest way of achieving this is to deny everything coming
from your internal net by default, and set up rules to allow certain
services, like ssh.

Example:

# allow established connections ( remote host -> source port on client )
ipfw add pass all from any to any established

ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh
ipfw add pass tcp from any to any 80 recv $internal_nic # allow http
ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp

<insert some more firewall rules>

ipfw add deny all from any to any recv $internal_nic

You'll get a pretty long set of firewallrules, but that doesn't
matter.

You should also decide if you want your internal net to have public or
private ipspace (and if private, using ipnat or natd:

natd runs in userland, so thats no option for large networks (imho).
ipnat runs in la kernel, so it performs better for large nets.

).

Regards,

Bart 

-- 
Bart Matthaei                 bart@dreamflow.nl 
Kiss me twice.  I'm schizophrenic.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Quantcast