[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Newbie ?



Thomas,

Depending on whether you are using 'ipf' or 'pf' as your packet filter the
rule syntax will change but, both are similar. I'll provide examples for
'ipf'.

Assuming that you know how to setup and administer a firewall and create
rules, and aren't using NAT, you simply need to create properly structured
rules for port 80 on the HTTP boxes, port 21 on the FTP boxes, and,
hopefully, port 22 for SSH remote administration. Block everything else
unless you need to be able to things like 'ping' the boxes or log remotely
via 'syslog'. Services like Sendmail which you might want for email alerts,
etc. should be run in a non-listening mode, i.e. local service only. If you
are using NAT, a couple of extra steps will be required and you will need to
enable the FTP-proxy service. There's a ton of documentation on how to do
all of this on the web.

If you are inexperienced with network security I suggest that you do a lot
of learning and testing ahead of time. A firewall can cut both ways if not
implemented correctly.


Examples:
---------

HTTP: pass in on quick on fxp0 proto tcp from any to <IP address> port = 80
flags S/SA keep state
SSH: pass in quick on fxp0 proto tcp from any to <IP address> port = 22
flags S/SA keep state

Or, http://www.openlysecure.org/openbsd/scripts.html


Hope this helps,

Steve


-----Original Message-----
From: owner-tech@openbsd.org [mailto:owner-tech@openbsd.org]On Behalf Of
Thomas P. Colson
Sent: Thursday, July 11, 2002 10:07 AM
To: tech@openbsd.org
Subject: Newbie ?


Quick question...

Having a tough time finding sample configs on web for Open BSD 2.9 firewalls
that are SOLELY protecting web servers, in this case, a web/ftp server
hosting 4 sites. Any clues/help in locating this sort of document(s).
Thanks.