A seperate forum item for security.

OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 642
Messages: 2,153

Some allow the use of only sockets. And then one is forced to be local. You cannot route sockets over the internet.
 

astyle

Daemon

Reaction score: 458
Messages: 1,068

Hmm, not sure I follow. XDM, KDM, GDM all listen on port 177. This is for Xdmcp requests. Luckily it is disabled by default on all of them. (It is not controlled by xorg.conf but xdm-config, kdmrc and gdm.conf respectively)

Port 6000 is what a remote Xorg traditionally used. This is no longer enabled by default (i.e since 2007).
Port 5900 is what a remote GNOME or Sway running Wayland-style uses. This is also not enabled by default.
My point was that just because an application is listening on port n, that doesn't mean that a firewall is THE solution for securing port n. You may need to think not about securing port n, or port n+1, but telling the application to behave, which is done via .conf files. It's a bit like having a lock on your door, but also telling your kid/application to behave smartly and not let strangers in.
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 642
Messages: 2,153

I write my passwords on paper. So if someone breaks into my house ... But hey , probability is low and i have a big knife.
 

kpedersen

Son of Beastie

Reaction score: 2,079
Messages: 2,941

You may need to think not about securing port n, or port n+1, but telling the application to behave
Yep, this is important. The other day I found out that there is no way to turn off a number of Windows "share" related services listening on ports. When you toggle the "off" button what it actually does is add a firewall rule denying that port! How naff is that?

sockstat -l as demonstrated earlier in the thread really is satisfying to see a silent FreeBSD install. Only SSH is allowed for the majority of my machines.
 

grahamperrin

Daemon

Reaction score: 663
Messages: 2,119

Security can be anything. Currently issues are spread over the forum ?

The security channel in Discord for FreeBSD: <https://discord.com/channels/727023752348434432/827065966416363570/>

Not specific to FreeBSD, but maybe of interest: A collection of links to PDFs of papers on Micro-Architectural Side-Channel Attacks (sorted by date, going back to 1993) (2018, archived)

… Thanks to Twitter folks @dimonoid @allanjude @Kensan42 for contributing to this list! …
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 642
Messages: 2,153

For who is interested my ipfw ruleset,
Code:
cmd="/sbin/ipfw -q add"   # Set rules command prefix
pif="tun0"
localpif="re0"
/sbin/ipfw -q -f flush    # Flush out the list before we begin.

# No restrictions on Loopback Interface
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136


# The next rule allows the packet through if it matches an existing entry in the dynamic rules table
$cmd 02000 check-state

### INCOMING
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 03000 deny all from 192.168.0.0/16 to any in via $pif     #RFC 1918 private IP
$cmd 03010 deny all from 172.16.0.0/12 to any in via $pif      #RFC 1918 private IP
$cmd 03020 deny all from 10.0.0.0/8 to any in via $pif         #RFC 1918 private IP
$cmd 03030 deny all from 127.0.0.0/8 to any in via $pif        #loopback
$cmd 03040 deny all from 0.0.0.0/8 to any in via $pif          #loopback
$cmd 03050 deny all from 169.254.0.0/16 to any in via $pif     #DHCP auto-config
$cmd 03060 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
$cmd 03070 deny all from 204.152.64.0/23 to any in via $pif    #Sun cluster interconnect
$cmd 03080 deny all from 224.0.0.0/3 to any in via $pif        #Class D & E multicast
# Deny fragments
$cmd 03100 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 03200 deny tcp from any to any established in via $pif

# Allow incoming access from localnet
$cmd 04050 allow tcp from 192.168.1.0/24 to any in via $localpif setup keep-state
$cmd 04060 allow udp from 192.168.1.0/24 to any in via $localpif keep-state

### OUTGOING
# Allow access to outside
$cmd 04030 allow tcp  from any to any out via $pif setup keep-state
$cmd 04040 allow udp  from any to any out via $pif keep-state
$cmd 04040 allow icmp from any to any out via $pif keep-state
# Allow access to localnet
$cmd 04050 allow tcp  from any to 192.168.1.0/24 out via $localpif setup keep-state
$cmd 04060 allow udp  from any to 192.168.1.0/24 out via $localpif keep-state
$cmd 04060 allow icmp from any to 192.168.1.0/24 out via $localpif keep-state

$cmd 05000 deny log all from any to any
/sbin/ipfw list
 
Top