Re: best firewall option for FreeBSD
From: Baldur Gislason (baldur@foo.is)
Date: 02/27/02
- Next message: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
- In reply to: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Next in thread: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Reply: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Baldur Gislason <baldur@foo.is> To: Bart Matthaei <bart@dreamflow.nl> Date: Wed, 27 Feb 2002 11:52:22 +0000
It's never a good idea to silently deny incoming connections on port 113 (RFC1413 ident)
as remote daemons you connect to often try establishing a connection to your host on that
port and you won't be served untill they've timed out on the ident connection.
Also, never trust your local users too much, especially if you have a wireless network.
The most practical design is a DMZ (De-Militarized Zone) for the servers, external net and
partially trusted user network, if you have a wireless network it may even be a good idea to isolate
that from the rest of the user network, as you must not trust the wireless users at all unless they're
authenticated somehow. On the DMZ you'd allow in certain ports on each server and range
49152 through 65535 (dynamic port range) may be a good idea if you run an ftpd and want users
to be able to use passive transfers (That applies to most users that are behind a firewall).
Baldur
On Wednesday 27 February 2002 10:34, you wrote:
> On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote:
> [snip]
>
> Correct me if im wrong.
>
> The easiest way of achieving this is to deny everything coming
> from your internal net by default, and set up rules to allow certain
> services, like ssh.
>
> Example:
>
> # allow established connections ( remote host -> source port on client )
> ipfw add pass all from any to any established
>
> ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh
> ipfw add pass tcp from any to any 80 recv $internal_nic # allow http
> ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp
>
> <insert some more firewall rules>
>
> ipfw add deny all from any to any recv $internal_nic
>
> You'll get a pretty long set of firewallrules, but that doesn't
> matter.
>
> You should also decide if you want your internal net to have public or
> private ipspace (and if private, using ipnat or natd:
>
> natd runs in userland, so thats no option for large networks (imho).
> ipnat runs in la kernel, so it performs better for large nets.
>
> ).
>
> Regards,
>
> Bart
----------------------------------------
Content-Type: application/pgp-signature; charset="us-ascii"; name="Attachment: 1"
Content-Transfer-Encoding: 7bit
Content-Description:
----------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
- In reply to: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Next in thread: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Reply: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
