# Delete ANY remote logins



## Handy92 (Aug 8, 2016)

I use generally FreeBSD as client and I want to remove any external connection to my system
At this moment I removed rsh rlogin sshd from /usr/bin

My question is: Is there something else to remove?


----------



## SirDice (Aug 8, 2016)

Simply don't run any of those services and set up a firewall to block all incoming connections. Leave the files as is, the next update will just add them again.


----------



## Handy92 (Aug 8, 2016)

Even if it is removed from /var/db/etcupdate ?


----------



## SirDice (Aug 8, 2016)

That directory has nothing to do with it, it's just a work directory for etcupdate(8).

If you really want to get rid of them the only way is to update from source and use src.conf(5). But mind you, other parts of the OS may depend on it and will fail to build. Or leave you with an unusable system.


----------



## Handy92 (Aug 8, 2016)

What if I do some empty file and set `schg` on it


----------



## Murph (Aug 8, 2016)

It's highly abnormal to manage security by deleting files like that.  Use a firewall to prohibit access.  E.g. for a very simple basic firewall config, try adding the following in /etc/rc.conf:


```
firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_type="client"          # Firewall type (see /etc/rc.firewall)
firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
                                # firewall.
#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for
                                # "client" firewall.
```
Change the network addresses to match your local net.


----------



## SirDice (Aug 8, 2016)

Handy92 said:


> What if I do some empty file and set `schg` on it


Then the whole update process will simply croak.


----------



## Handy92 (Aug 8, 2016)

I use ipfw too and i set manually rules, so is open only 53, 80, and 443 port but sometimes i must disable firewall for 1-60 minits...


----------



## chrbr (Aug 8, 2016)

You can generate some /etc/ipfw.rules.open as

```
#!/bin/sh
# Flush out the list before we begin.
# Handbook section 29.4

ipfw -q -f flush

# open taken from /etc/rc.firewall
# --------------------------------
ipfw -q add 65000 allow all from any to any
```
and open the firewall by `sh /etc/ipfw.rules.open`. With `sh /etc/ipfw.rules` assumed as current configuration the firewall should be back to normal.


----------



## Handy92 (Aug 8, 2016)

How to switch from my rules to 'open' rules and reverse?


----------



## cpm@ (Aug 8, 2016)

Handy92 said:


> How to switch from my rules to 'open' rules and reverse?



To read: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html#firewalls-ipfw-enable


----------



## storvi_net (Aug 11, 2016)

In my opinion the design of your "system" is broken.
There should not be any reason to change any firewall rules while using the system. If you have services you want to reach, do this in a secure way and don't losen the security of the whole system for an hour...

What kind of services do you use without the firewall? Probably we can suggest a better way.

Regards
Markus


----------



## Handy92 (Oct 14, 2016)

storvi_net said:


> What kind of services do you use without the firewall?



Sorry for late  I use only http, https, and DNS.

My Firewall rules:

```
ipfw -q -f flush

ipfw -q add 0010 allow all from any to any via em0
ipfw -q add 0020 allow all from any to any via lo0
ipfw -q add 0030 deny all from any to any frag
ipfw -q add 0031 deny all from any to 127.0.0.0/8
ipfw -q add 0032 deny all from 127.0.0.0/8 to any


#ipfw -q add 0040 allow tcp from me to any 53 out via wlan0 setup keep-state
#ipfw -q add 0050 allow udp from me to any 53 out via wlan0 keep-state
ipfw -q add 0060 allow tcp from me to any 80 out via wlan0 setup keep-state
ipfw -q add 0070 allow tcp from me to any 443 out via wlan0 setup keep-state
ipfw -q add 0071 allow udp from me to 153.19.250.123:123 out via wlan0 keep-state
ipfw -q add 0075 allow udp from me to any 443 out via wlan0 keep-state
ipfw -q add 0080 deny icmp from any to any via wlan0
ipfw -q add 0090 deny tcp from any to any established via wlan0


ipfw -q add 1000 deny log all from any to any
```

PS. Ceep FreeBSD actually is absolutely necessary? I need only VirtualBox, and FIREFOX, sometimes TPB too.


----------

