Dedicated - blocking ports

I am about to switch from my cradle shared-hosting to my very own 2u rackmounted baby of which I plan to install a FreeBSD 4.7/8 or 5.0. I have a few running locally behind a linksys natrouter/firewall thingy. Hosting it in datacenter, I dont think the small linksys will survive.

I am looking into docs, how to block inbound communication on almost all ports except 80, ftp and ssh. I am looking into weather I need to install firewall software or maybe other solution...

Any words of wizdom welcome... I am going through some tutorials but most seem for early BSD versions and not current. Got to be plenty out there who has been where I am now

/ LJ

One of the esiest ways to do it is by the /etc/host.allow and the /etc/hosts.deny files. You can deny from all the let in what and who you want for each service

oho, thanks for that... I was looking into like ipchains ect.

/ LJ
PS. that's a mad looking cow you got ya there ;)

Read into the IPchains. I'll help you where you get stuck. Its pretty easy. Also turn off any services you don't need.

You Lika Da Cow Eh?

use netstat to check for services listening on your server and kill them if you don't need them ;)

netstat -nap|less

look into "man netstat" to get some details on what you see ;)

after that still read the iptables docs. building a secure server is 1% good programs and the othe 99% is the administrator that has to know what he is doing....

netstat to look for what ports it listen on. What I wanted is more blocking ports as done by firewall - example so someone probing my ports wouldnt get a reply (and know the server was there) and same time use it as first level of security, to open only http, ftp and ssh - block all other ports...

Btw. tried your commands on a FreeBSD 5.0 Tiny, it gives :
copernicus# netstat -nap | less
netstat: option requires an argument -- p
usage: netstat [-AaLnSW] [-f protocol_family | -p protocol]
[-M core] [-N system]
netstat -i | -I interface [-abdnt] [-f address_family]
[-M core] [-N system]
netstat -w wait [-I interface] [-d] [-M core] [-N system]
netstat -s [-s] [-z] [-f protocol_family | -p protocol] [-M core]
netstat -i | -I interface -s [-f protocol_family | -p protocol]
[-M core] [-N system]
netstat -m [-M core] [-N system]
netstat -r [-AanW] [-f address_family] [-M core] [-N system]
netstat -rs [-s] [-M core] [-N system]
netstat -g [-W] [-f address_family] [-M core] [-N system]
netstat -gs [-s] [-f address_family] [-M core] [-N system]


copernicus# man netstat
No manual entry for netstat

Then do what I am saying. set your hosts.allow for what you want to let in and set your hosts deny file to ALL :ALL. That is a good day to get what you want done. DO you want me to give you examples of doing it this way????

Hi Postal,

No need for examples ;) but thx... Pointers welcome as you've given me so far - but got to learn some for myself also. Else I will never pass the current state of knowledge ;)


Marcel,
This seems to do the trick
netstat -na | grep LISTEN

It shows I am unwantedly listening on port 25 (smtp) - this server will always be sending mail out - got other to handle incoming. And I got mySQL listening on port 3306 of which I got no use either. No need to provide them the option to go directly into the base