firewall for web server

[Ben Timby]

Peter, choose your firewall software, with a host firewall (what you are 
looking for, not a network firewall) the features you need will be 
limited. Find a howto on using that firewall package. The only 
difference between what you want and what most howtos provide 
instructions for is the ruleset. You will probably want rules like the 
following:

--
block in log all (default deny stance).
block out log all (default deny stance).

allow in tcp port 80 SYN/SYN+ACK keep state (only allow new connections 
and established ones to httpd).

allow in tcp port 22 SYN/SYN+ACK from host <your remote network here> 
keep state (only allow new connections and established ones to sshd).

allow out tcp src port > 1024 dest port < 1024 keep state (only allow 
new connections and established ones to "server" ports from "client" ports).
--

Modify for your firewall package and to suit your needs. Something 
simple like the above is probably all you need.

I personally have used ipfilter in the past with good success, but I 
currently use pf, which is ported from OpenBSD, and is the most 
excellent firewall package I have ever used. The rule preprocessor makes 
writing rules a breeze. I will not use any other firewall package again 
as long as pf is a choice.

Hope that helps.

Peter Zyumbilev wrote:

> Hello,
> 
> Do you know some good tutorial for bulding firewall for FreeBSD as web
> server. I found a lot of tutorials but for FreeBSD as router.
> Some commented premade script with comments will also do the job.
> I was plannding to use APF, but I am afarid to install it on FreeBSD
> without good tutorial.
> Please advise.
> 
> Best regards,
> 
> Peter
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"