Re: Are 4 IPFW rules enough?
Kevin Curran wrote: I have a cable modem and I'm using 4.9 as a NAT router for my home network. I have 4 rules in my ipfw config. The first enables NAT and the last is 65000 allow any to any. In between I ha 2 rules to deny access to ports 53 and 110 on the Internet side. That's all. Here's my thinking: I use inetd.conf to enable only the services I want, therefore the ports on which those services are listening I would want open. The two other ports I want to filter on the WAN side are filtered by the rules above. All the other ports are closed, anyway, so why spend time debugging an elaborate rule set? What has to be so elaborate? ipfw add rulenum deny ip from any to me in via oif setup And it's generally a good idea to think about egress as well. It's the strategy you're using for inetd, it should probably be the way you do your firewall. Build the wall with the gates where you want them instead of the other way 'round. My $0.02, Kevin Kinsey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Are 4 IPFW rules enough?
I have a cable modem and I'm using 4.9 as a NAT router for my home network. I have 4 rules in my ipfw config. The first enables NAT and the last is 65000 allow any to any. In between I ha 2 rules to deny access to ports 53 and 110 on the Internet side. That's all. Here's my thinking: I use inetd.conf to enable only the services I want, therefore the ports on which those services are listening I would want open. The two other ports I want to filter on the WAN side are filtered by the rules above. All the other ports are closed, anyway, so why spend time debugging an elaborate rule set? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Are 4 IPFW rules enough?
Kevin Curran [EMAIL PROTECTED] wrote: I have a cable modem and I'm using 4.9 as a NAT router for my home network. I have 4 rules in my ipfw config. The first enables NAT and the last is 65000 allow any to any. In between I ha 2 rules to deny access to ports 53 and 110 on the Internet side. That's all. Here's my thinking: I use inetd.conf to enable only the services I want, therefore the ports on which those services are listening I would want open. The two other ports I want to filter on the WAN side are filtered by the rules above. All the other ports are closed, anyway, so why spend time debugging an elaborate rule set? Check the output of sockstat -4 to ensure that you don't have anything running that you aren't aware of ... syslogd is a typical culpret. You'll probably have to add syslogd_flags=-ss to /etc/rc.conf Otherwise, you're probably good, execpt that there are some spoofing techniques that may be able to get around such a ruleset. That's beyond my expertise, however. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Are 4 IPFW rules enough?
Boy are you naïve. If firewall protection was that simple every body would be doing it your way. I have just completed my final draft of the complete rewrite of the FBSD handbook firewall section. Here is the URL where you can access it. www.a1poweruser.com/FBSD_firewall/ Give it a read and learn about all your FBSD firewall options -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Curran Sent: Monday, June 14, 2004 9:12 PM To: [EMAIL PROTECTED] Subject: Are 4 IPFW rules enough? I have a cable modem and I'm using 4.9 as a NAT router for my home network. I have 4 rules in my ipfw config. The first enables NAT and the last is 65000 allow any to any. In between I ha 2 rules to deny access to ports 53 and 110 on the Internet side. That's all. Here's my thinking: I use inetd.conf to enable only the services I want, therefore the ports on which those services are listening I would want open. The two other ports I want to filter on the WAN side are filtered by the rules above. All the other ports are closed, anyway, so why spend time debugging an elaborate rule set? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]