[geeks] IPFilter experts?
Kurt Huhn
kurt at k-huhn.com
Mon Nov 11 10:13:43 CST 2002
Bill Bradford <mrbill at mrbill.net> wrote:
> Any ipfilter wizards out there? I need assistance in changing my
> current config from "block ports I use, and only allow outside access
> to certain ports" to "block everything, only allow certain ports".
>
I'm far from an ipfilter wizard, but good firewall ruleset design goes
something like this:
- allow specific ports/services to specific systems inbound
- allow specific ports/services to specific systems outbound
- deny everything else from everything to everthing
so somthing like (with total disregard for ipfilter syntax):
1: some_external_address -> internal_address:port_num allow
2: some_other_external_address -> internal_address:other_port_num allow
3: internal_address_block -> all_outside_addresses:80 allow
4: specific_internal_address_your_workstation -> all_outside_addresses:22
allow
5: all_external_addresses -> all_internal_addresses deny
6: all_internal_addresses -> all external_addresses deny
Since the firewall will (should) step through the rules in order, and stop
when a match is made, this gives you extreme control over the services you
allow - it also raises the processing power requirement of your firewall by
a potentially significant amount.
Hope that helps.
--
Kurt
kurt at k-huhn.com
More information about the geeks
mailing list