f



Securing BSD as firewall

    I have a pretty technical networking question....

    First, a little background info:

    A while back, on the advice of a co-worker, I started using a
FreeBSD-based PC as a harware firewall to my cable modem. A couple days ago,
I was perusing the system logs and noticed a bunch of rejected attempts to
ftp into my firewall from IP addresses in France, a few in Poland, and a
couple others I didn't bother to look up. Most were accompanied by a message
that the login was rejected, but not all were.

    Question:

    How do I bind services to one network interface, but not the other?

    I want to be able to telnet and ftp to the firewall from within my
network (on vr1) but I would like to disable ALL services on the other
(vr0).



0
Nathan
3/20/2005 3:09:57 AM
comp.unix.bsd.freebsd 391 articles. 0 followers. Post Follow

3 Replies
774 Views

Similar Articles

[PageSpeed] 40

comp.unix.bsd.freebsd is not widely propagated, so you won't
necessarily get much help here (in comp.unix.bsd.freebsd).
See http://www.freebsd.org/support.html for better ideas...
[followups redirected accordingly]

"Nathan Yerian" <nyerian@comcast.net> writes:

>     I have a pretty technical networking question....
> 
>     First, a little background info:
> 
>     A while back, on the advice of a co-worker, I started using a
> FreeBSD-based PC as a harware firewall to my cable modem. A couple days ago,
> I was perusing the system logs and noticed a bunch of rejected attempts to
> ftp into my firewall from IP addresses in France, a few in Poland, and a
> couple others I didn't bother to look up. Most were accompanied by a message
> that the login was rejected, but not all were.
> 
>     Question:
> 
>     How do I bind services to one network interface, but not the other?
> 
>     I want to be able to telnet and ftp to the firewall from within my
> network (on vr1) but I would like to disable ALL services on the other
> (vr0).

This is called "packet filtering," and is usually the first thing that
people mean when they talk about building a firewall.  The FreeBSD
Handbook has a whole chapter on it; I suggest starting there.
0
Lowell
3/20/2005 3:49:21 PM
you can specifiy your inetd superdaemon to bind to a specific address by 
using the -a switch to start inetd.


"Nathan Yerian" <nyerian@comcast.net> wrote in message 
news:Fd6dnQFUFK9AdKHfRVn-iw@comcast.com...
>    I have a pretty technical networking question....
>
>    First, a little background info:
>
>    A while back, on the advice of a co-worker, I started using a
> FreeBSD-based PC as a harware firewall to my cable modem. A couple days 
> ago,
> I was perusing the system logs and noticed a bunch of rejected attempts to
> ftp into my firewall from IP addresses in France, a few in Poland, and a
> couple others I didn't bother to look up. Most were accompanied by a 
> message
> that the login was rejected, but not all were.
>
>    Question:
>
>    How do I bind services to one network interface, but not the other?
>
>    I want to be able to telnet and ftp to the firewall from within my
> network (on vr1) but I would like to disable ALL services on the other
> (vr0).
>
>
> 


0
Grand
4/5/2005 7:51:33 PM
Nathan Yerian wrote:
>     How do I bind services to one network interface, but not the other?
> 
>     I want to be able to telnet and ftp to the firewall from within my
> network (on vr1) but I would like to disable ALL services on the other
> (vr0).

You can use TCP_Wrappers (tcpd, /etc/hosts.allow) to fine-grain filter
access to local system services. You can also use a firewall (ipf, ipfw)
to prevent inbound access to application ports other than your local
network. The firewall can also address multiple interfaces. TCP_Wrappers
goes into affect AFTER a firewall allows a packet in.


man tcpd
man 5 hosts_access
man ipf
man ipfw
0
RandomUser
8/4/2009 12:25:16 AM
Reply: