Firewall and NATAlthough ipf and ipnat serve similar purposes as Linux' ipchains and iptables, pay attention to the fact that their configuration file syntaxes and the way they process rulesets are significantly different.Quick start - ipfYou are not safe unless your machine is well secured. Log-in as root. Here is a basic /etc/ipf.conf file:pass in quick on lo0 all pass out quick on lo0 all block out quick all block in allThen, still as root, issue the following command: ipf -F a -f /etc/ipf.conf At this stage you can use another machine to test these settings. Your box should now be deaf and mute to the outside world. Don't worry about lo0 (it is called "local interface", "localhost" or 127.0.0.1) which is allowed to communicate in the example above. It's an internal system interface required by some programs and tools (X-Window for example) and should not be blocked. If everything went fine, edit your /etc/rc.conf file in order to automatically start ipf each time the system boots. Just add the following line at the end: ipfilter=YESThen save the file, reboot and check again that everything is working as expected. Bad news: you should not feel completely safe as long as you machine is connected to a network. Re-examine your configuration, do some security auditing yourself (`man netstat`, `man nmap`) and check log files on a regular basis.Alternatively, if you need to access the internet from this machine right now, change the third line from the example above. Instead of:block out quick allthere should be: pass out quick all keep stateThen, again, issue a command to flush out the old configuration and make the new one operational: ipf -F a -f /etc/ipf.conf Now your machine is secure enough to give you some time for reading the documentation listed at the bottom of this page. After that, you will be able to compose a set of rules yourself, according to your particular requirements. While configuring firewall, pay attention to where words "any" and "all" are (in)appropriate.Network Address Translation - ipnatIf you have more than one machine, you may want to use the NetBSD box as a gatweway/router between your ISP and the local network, and even as a port redirector. ipnat is an extremely flexible tool, however complex enough to stop discussing it here and rely exclusively on professional documentation.General warning (a bit off-topic)Just an example, which should help you keep yourself suspicious. "Once upon a time" I put in place a quite firm /etc/ethers, but being paranoid I wanted to be 100% sure. So, I initiated a connection from the another machine that I intended to deny access from. Much to my surprise the connection succeeded! In the end, detailed examination of `man 5 ethers` revealed the cause.Make a copy of any configuration file you are about to edit, especially if it is crucial for the system integrity. In case of NetBSD, I would recommend adding .ok or just the current date at the end of the original name.Information resources
Do you remember what you have learned about how to approach documentation?
|
5/6 |