Hi, I am pretty new for the firewall, and I am reading "IP Filter Based Firewalls HOWTO" and I have some questions, wish you could help: 1. "when you're actually creating your ruleset, you should setup rules for every direction and every interface" Is this mean, we need set up every interface on the firewall, for example if the solaris box has 3 NICs separating Local, Internet, DMZ, I need configure all of the 3 NICs when I setup the rulesets based on interface? 2. "There is a big problem with blocking services by the port: sometimes they move. RPC based programs are terrible about this, lockd, statd, even nfsd listens places other than 2049" I check /etc/services for rpcbind, lockd they both have their specified ports for listening the services. According to my understanding for Solaris, the server site the port number is well-known (like rpcbind it use tcp/111 or udp/111), for the client site it will get a random port number for the request, and for the server&client one to one connection, Solaris TCP/IP using the "ipaddress+port number=socket" to locate. So what the sentences mean? Thanks in advance for any discussion? Jessica

it depends on which type of the firewall u r using. but most of the firewall is almost the same. Yes, u need different rule/policy for all 3 type of interfaces. why? if u have 10.10.10.1 (local), 1.1.1.1 (DMZ) and 12.12.12.1 (internet) and u only allow local to DMZ, then u have to set a rule something like this, "permit all from 10.10.10.1 to 1.1.1.1". Again this rule is depend on what kind of firewall u r using. For the service port, u r fine with it, don't be scare of something happen to your DMZ, local or internet. U have to know more about ports before u close these port. Just to play safe, normally, I close all ports execpt only allow 2 or 3 ports to be open. That way, I can safe a lof of my time and hard disk for my log files. Yes, port 111 is print spooler, and no one in this world will open this port to allow printing docement thru internet, maybe some company will allow only for internal, not external. And yes, when it's return ACK, it will look for any open random high port to send the ACK to ya. there for u might see this, (this is an example for web browsing - TCP) TCP 10.10.10.1:80 25.25.25.1:3125 LISTENING TCP 10.10.10.10:5421 25.25.25.1:80 LISTENING hope this will help.