If someone has some free time, can you go over my ipfw config. See if I have any problems, or things i should add. Im not an ipfw expert or anything. Here is the config. add 100 allow all from any to any via lo0 add 110 deny log all from any to 127.0.0.0/8 add 120 deny log ip from 127.0.0.0/8 to any add 00200 check-state add 00250 deny all from any to any frag in via bge0 add 00260 deny tcp from any to any established in via bge0 ###### outbound section ###### ## standard http ## add 00300 allow tcp from any to any 80 out via bge0 setup keep-state ## secure https ## add 00301 allow tcp from any to any 443 out via bge0 setup keep-state ## dns ## add 00310 allow tcp from any to any 53 out via bge0 setup keep-state add 00311 allow udp from any to any 53 out via bge0 keep-state ## pop & smtp ## add 00330 allow tcp from any to any 25 out via bge0 setup keep-state add 00331 allow tcp from any to any 110 out via bge0 setup keep-state ## give root all ## add 00340 allow tcp from me to any out via bge0 setup uid root keep-state ## ftp with passive ports ## add 00375 allow tcp from me to any 21 out via bge0 setup keep-state add 00376 allow tcp from me to any 49152-65535 out via bge0 setup keep-state ## ssh ## add 00380 allow tcp from any to any 22 out via bge0 setup keep-state ## ntp ## add 00390 allow tcp from any to any 123 out via bge0 setup keep-state add 00391 allow udp from any to any 123 out via bge0 keep-state ## ident ## add 00400 allow tcp from any to any 113 out via bge0 setup keep-state add 00401 allow udp from any to any 113 out via bge0 keep-state ## whois ## add 00410 allow tcp from any to any 43 out via bge0 setup keep-state ## snmp ## add 00420 allow udp from any to any 161 out via bge0 keep-state ## finger ## add 00430 allow tcp from any to any 79 out via bge0 setup keep-state add 00431 allow udp from any to any 79 out via bge0 keep-state ###### inbound section ####### ## standard http ## add 00600 allow tcp from any to any 80 in via bge0 setup keep-state ## secure https ## add 00601 allow tcp from any to any 443 in via bge0 setup keep-state ## dns ## add 00611 allow udp from any to me 53 in via bge0 keep-state add 00612 allow tcp from any to me dst-port 53 in via bge0 setup keep-state ## pop & smtp ## add 00630 allow tcp from any to me 25 in via bge0 setup keep-state add 00631 allow tcp from any to me 110 in via bge0 setup keep-state ## imap ## add 00635 allow tcp from any to me 143 in via bge0 setup keep-state ## ftp ## add 00640 allow tcp from any to me 21 in via bge0 setup keep-state add 00641 allow tcp from any to me 49152-65535 in via bge0 setup keep-state #add 00641 allow tcp from any 20 to any 1024-49151 out via bge0 setup keep-state ## ssh ## add 00660 allow tcp from any to me 22 in via bge0 setup keep-state ## snmp ## add 00690 allow udp from any to me 161 in via bge0 keep-state ## razor ## add 00695 allow tcp from me to any dst-port 2703 out via bge0 setup keep-state ###### ICMP ###### ## Allow out & in console traceroot command ## add 00700 allow udp from me to any 33435-33500 out via bge0 keep-state add 00701 allow log icmp from any to me icmptype 3,11 in via bge0 limit src-addr 2 ## ping out ## add 00710 allow icmp from any to any out via bge0 keep-state ## ping in ## add 00720 allow log icmp from any to me icmptype 0,8 in via bge0 ## This sends a RESET to all ident packets ## add 00730 reset log tcp from any to me 113 in via bge0 limit src-addr 4 ## Stop & log external redirect requests ## add 00740 deny log icmp from any to any icmptype 5 in via bge0 ## Stop & log spoofing Attack attempts ## add 00750 deny log ip from me to me in via bge0 ## Stop & log ping echo attacks ## add 00760 deny log icmp from any to me icmptype 0,8 in via bge0 ###### Everything Else ##### ## Reject & Log all setup of tcp incoming connections from the outside ## add 00770 deny log tcp from any to any setup in via bge0 ## Reject all port 80 http packets that fall through to here ## add 00780 deny tcp from any to any 80 out via bge0 ## Everything else is denied by default ## add 00790 deny log logamount 500 all from any to any Thanks Nick _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"