ipfw rules
Danny Pansters
danny at ricin.com
Wed Mar 3 17:16:04 PST 2004
On Thursday 04 March 2004 01:42, RYAN vAN GINNEKEN wrote:
> I know this has probably been posted 1000's of times but i would like to
> set up a ipfw firewall i run many services on this machine. It acts as a
> gateway for my network
> APACHE web server
80/TCP and perhaps 443/TCP
> IMAP mail server
143/TCP
> SMTP mail server
25/TCP
> BIND name server
53/UDP for xfers 53/TCP
> FTP server
21/TCP
20/TCP maybe
(I use ipf but the principles are the same)
- block in/out packages you never want to see at all (e.g. with weird opts or
too short to be normal)
- block in anything from your own IP
- block in anything from private addresses (you can get and update lists of
these)
- let no broadcasting packets come in or go out even on wrong bcast addresses
- block in (and log) everything else except:
- your services on their ports keep state and with proxy if needed (ftp?)
- let everything outward go and keep state or:
- let nothing out except what you may initialize (and keep state) e.g. web
traffic, mail retrieval, etc. More cumbersome.
- decide on ping etc, what do you want to come in and what ICMP do you want to
respond to
- send out resets rather than ICMP-no-answer or whatever it's called on
blocked ports
Keep huge big logs at first, then later strip out what you know means no harm.
I don't know about VNC.
HTH,
Dan
More information about the freebsd-questions
mailing list