Reaction score: 645
Some allow the use of only sockets. And then one is forced to be local. You cannot route sockets over the internet.
My point was that just because an application is listening on port n, that doesn't mean that a firewall is THE solution for securing port n. You may need to think not about securing port n, or port n+1, but telling the application to behave, which is done via .conf files. It's a bit like having a lock on your door, but also telling your kid/application to behave smartly and not let strangers in.Hmm, not sure I follow. XDM, KDM, GDM all listen on port 177. This is for Xdmcp requests. Luckily it is disabled by default on all of them. (It is not controlled by xorg.conf but xdm-config, kdmrc and gdm.conf respectively)
Port 6000 is what a remote Xorg traditionally used. This is no longer enabled by default (i.e since 2007).
Port 5900 is what a remote GNOME or Sway running Wayland-style uses. This is also not enabled by default.
Yep, this is important. The other day I found out that there is no way to turn off a number of Windows "share" related services listening on ports. When you toggle the "off" button what it actually does is add a firewall rule denying that port! How naff is that?You may need to think not about securing port n, or port n+1, but telling the application to behave
sockstat -las demonstrated earlier in the thread really is satisfying to see a silent FreeBSD install. Only SSH is allowed for the majority of my machines.
Reaction score: 678
Security can be anything. Currently issues are spread over the forum ?
… Thanks to Twitter folks @dimonoid @allanjude @Kensan42 for contributing to this list! …
cmd="/sbin/ipfw -q add" # Set rules command prefix pif="tun0" localpif="re0" /sbin/ipfw -q -f flush # Flush out the list before we begin. # No restrictions on Loopback Interface $cmd 00100 allow ip from any to any via lo0 $cmd 00200 deny ip from any to 127.0.0.0/8 $cmd 00300 deny ip from 127.0.0.0/8 to any $cmd 00400 deny ip from any to ::1 $cmd 00500 deny ip from ::1 to any $cmd 00600 allow ipv6-icmp from :: to ff02::/16 $cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 $cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 $cmd 00900 allow ipv6-icmp from any to any icmp6types 1 $cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136 # The next rule allows the packet through if it matches an existing entry in the dynamic rules table $cmd 02000 check-state ### INCOMING # Deny all inbound traffic from non-routable reserved address spaces $cmd 03000 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 03010 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 03020 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 03030 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 03040 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 03050 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 03060 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 03070 deny all from 18.104.22.168/23 to any in via $pif #Sun cluster interconnect $cmd 03080 deny all from 22.214.171.124/3 to any in via $pif #Class D & E multicast # Deny fragments $cmd 03100 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 03200 deny tcp from any to any established in via $pif # Allow incoming access from localnet $cmd 04050 allow tcp from 192.168.1.0/24 to any in via $localpif setup keep-state $cmd 04060 allow udp from 192.168.1.0/24 to any in via $localpif keep-state ### OUTGOING # Allow access to outside $cmd 04030 allow tcp from any to any out via $pif setup keep-state $cmd 04040 allow udp from any to any out via $pif keep-state $cmd 04040 allow icmp from any to any out via $pif keep-state # Allow access to localnet $cmd 04050 allow tcp from any to 192.168.1.0/24 out via $localpif setup keep-state $cmd 04060 allow udp from any to 192.168.1.0/24 out via $localpif keep-state $cmd 04060 allow icmp from any to 192.168.1.0/24 out via $localpif keep-state $cmd 05000 deny log all from any to any /sbin/ipfw list