Bot? / pf question

Mark Moellering mark at
Wed Jan 5 19:48:21 UTC 2011

On 05-Jan-11 1:44 PM, Kevin Wilcox wrote:
> On 5 January 2011 13:25, David Brodbeck<gull at>  wrote:
>> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox<kevin.wilcox at>  wrote:
>>> To really see what your machine is doing, consider taking a look at
>>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>>> get you flow data with mostly minimal overhead.
>> Also, keep in mind that depending on how badly the machine has been
>> compromised, you may not be able to trust the output of utilities
>> running on the machine itself.  You may have to resort to capturing
>> its network traffic on another machine for analysis.
> That's an excellent point. A span port from the upstream switch/router
> would be ideal unless you've verified, through mechanisms external to
> the machine (known good test media), the tools on that machine are
> trustworthy.
> kmw
> _______________________________________________

Since I am going to be setting up a mail server sometime next week and 
have to keep things like this in mind;
would it make sense to run pf and block all outbound traffic that isn't 
on port 25 ( port 995 , etc)  and force any web administration programs 
onto a port other than 80 to help with this sort of thing?  Any other 
thoughts on how to make sure future installations can be kept secure?

As always, thanks in advance to everyone,

Mark Moellering

More information about the freebsd-questions mailing list