Now that I know which ports are open on my computer, I can start sketching out how I'll give appropriate access to each listening service. Before I start creating any type of firewall or packet filtering rules, there are a few points I should consider.
The first thing I need to decide is what types of packets I wish to allow IN to my system. Since this is a stand-alone computer that is only connected to the Internet, any packets coming in will be one of two types.
The first type is packets from users on the Internet trying to connect to one of my daemons.
Remember, if these packets are trying to make a TCP connection, they will have the SYN flag set but not the ACK flag.
Also in FreeBSD Basics:
Since I now know which of my ports are willing to accept connections, I should carefully re-examine each and see if I really want someone from the Internet trying to connect to these daemons. Let's look at each one at a time:
port 22 or ssh
The only person I'd want to use a secure shell into my machine would be me, and I don't plan on doing this over the Internet. Therefore, I don't want to let IN these types of packets.
port 25 or smtp
While I do use smtp to send e-mail OUT of my system, I'm not running an e-mail server that accepts mail from other smtp servers, so I don't want to let IN these types of packets. However, I do want to be able to pick up my e-mail from my service provider, so I'll have to remember to let IN POP3 packets. (Forget how SMTP and POP3 work? See "Understanding E-Mail.")
port 80 or http
Since I'm still creating my web site, I'll hold off on allowing IN http requests for the moment. When my web site is ready, I'll have to remember to change my firewall rules to allow IN http connection requests.
port 6000 or X Window protocol
I don't want anyone from the Internet using my Xterminal, so I won't be letting IN these packets either.
UDP port 68 or DHCP client
I do need to let IN these packets so I can renew my DHCP lease. I'll have to remember that UDP doesn't use flags, so there will not be a SYN or ACK flag on these packets.
OK, now for the second type of incoming packets: responses from the Internet for packets I sent out.
There's not much sense in me sending OUT packets to the Internet unless I remember to tell the firewall to allow back IN the responses to my packets. For example, it would be very frustrating to send out an HTTP request to a web server but never receive a response back that could be displayed in my web browser.
If I don't want to restrict myself to the types of packets I'm allowed to send OUT to the Internet, I can still tell the firewall to not let IN packets that aren't a response to my request. There are several ways to do this, and I'll demonstrate how when we make the actual firewall rules.
The last thing I should do is sketch out a list of activities I do over the Internet. This list will prove useful when I create my rules, as some applications require extra considerations so they will continue to work properly through a firewall. This is a good time to do some free association; creating a list will invariably remind me of related applications and possibly some tidbits of information that will be helpful in my firewall rules. Here's a rough sketch of my list:
- HTTP because I like to surf; that reminds me that I'll also need DNS
- POP3 so I can pick up my e-mail
- FTP in case I want to download something; I'll have to look at my bookmarks, as I've heard that FTP is difficult to do through a firewall
- DHCP, as I receive my IP address from my service provider's DHCP server
- ICMP so I can do path-MTU discovery; I'll also have to review my ICMP types and codes
I'm sure I'll think of more when I actually start creating the firewall rules, but this rough sketch is a start.
Let's wait til next week to see what options are available for creating a firewall on a FreeBSD system.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Return to the BSD DevCenter.