Firewall configuration
-
I am confused at what you are trying to do here. I mean most of the time with a firewall you block all ports and only expose the few services that you specifically want to allow access from the outside world.
John
modified on Wednesday, June 24, 2009 2:29 PM
Yes, that's the issue exactly. I know that I want to enable ports for http, ftp and pop. What I don't know is how many other ports I should keep open that are used by legit services or software of which I may be unaware - Windows stuff, update services, etc. It's one of those "if I knew the exact question to ask I'd implicitly have the answer" kinda things.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
-
Christopher Duncan wrote:
common sense Dos and Don'ts
Do have a firewall Don't connect it to the 'Net :-D
Oh my, but you comedians are just coming out of the woodwork today, aren't you? :)
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
-
My previous firewall died today, after years of serving honorably. Services will be held this afternoon near the trash can that will be its final resting place. In setting up the new one, I thought I'd look into firewall settings in more detail to lock it down more than the default but (hopefully) without shooting myself in the foot in terms of day to day software hassles from over protection. Anyone know of good online reading for basic firewall port configuration for those of use who aren't network engineers? I don't want to make a career of this, but I suspect there are some common sense Dos and Don'ts.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
Christopher Duncan wrote:
lock it down more than the default
If the default isn't completely locked down, you've got the wrong product. Amy firewall worth it's salt will allow no network traffic through it, in either direction, as a default. If you are not publishing any services, don't allow any inbound traffic. As a minimum, you would probably need to allow outbound on TCP ports 53 (dns zone xfer), 80 (web), 443 (secure web), 25 (smtp), 110 (pop3), and UDP port 53 (dns query) Then, keep an eye on the firewall's logs that tell you what traffic from the internal network was blocked, and decide if you need to allow that too. Examples might be TCP ports 22 (ssh), 23 (telnet) and 3389 (rdp), depending on the external systems you access.
-
Yes, that's the issue exactly. I know that I want to enable ports for http, ftp and pop. What I don't know is how many other ports I should keep open that are used by legit services or software of which I may be unaware - Windows stuff, update services, etc. It's one of those "if I knew the exact question to ask I'd implicitly have the answer" kinda things.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
For what it's worth, on mine I just shut everything down but the general stuff (http, mail, etc). Everything seems to work OK. But I don't use IM, p2p, bit torrent, games or other stuff like that, so I may have an unusual setup.
¡El diablo está en mis pantalones! ¡Mire, mire! SELECT * FROM User WHERE Clue > 0 0 rows returned Save an Orange - Use the VCF! Personal 3D projects Just Say No to Web 2 Point Blow
-
Christopher Duncan wrote:
lock it down more than the default
If the default isn't completely locked down, you've got the wrong product. Amy firewall worth it's salt will allow no network traffic through it, in either direction, as a default. If you are not publishing any services, don't allow any inbound traffic. As a minimum, you would probably need to allow outbound on TCP ports 53 (dns zone xfer), 80 (web), 443 (secure web), 25 (smtp), 110 (pop3), and UDP port 53 (dns query) Then, keep an eye on the firewall's logs that tell you what traffic from the internal network was blocked, and decide if you need to allow that too. Examples might be TCP ports 22 (ssh), 23 (telnet) and 3389 (rdp), depending on the external systems you access.
Electron Shepherd wrote:
Amy firewall worth it's salt
Amy Winehouse's more restrained sister?
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.”
-
Electron Shepherd wrote:
Amy firewall worth it's salt
Amy Winehouse's more restrained sister?
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.”
Sounds more like the protection the Secret Service provided to Amy Carter.
-
Yes, that's the issue exactly. I know that I want to enable ports for http, ftp and pop. What I don't know is how many other ports I should keep open that are used by legit services or software of which I may be unaware - Windows stuff, update services, etc. It's one of those "if I knew the exact question to ask I'd implicitly have the answer" kinda things.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
None of these extra services should need incoming connections originating from the internet to work. Windows update initiates a connection to a Microsoft server not the other way around.
John
-
Yes, that's the issue exactly. I know that I want to enable ports for http, ftp and pop. What I don't know is how many other ports I should keep open that are used by legit services or software of which I may be unaware - Windows stuff, update services, etc. It's one of those "if I knew the exact question to ask I'd implicitly have the answer" kinda things.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
Christopher Duncan wrote:
I know that I want to enable ports for http, ftp and pop.
You only enable these if your pc is a mail server and/or webserver for users on the internet, otherwise these are locked down as well. Your ISP may be blocking access to these anyways. I know Comcast blocks http, ftp, ssh, and mail (smtp/pop).
John
-
Christopher Duncan wrote:
lock it down more than the default
If the default isn't completely locked down, you've got the wrong product. Amy firewall worth it's salt will allow no network traffic through it, in either direction, as a default. If you are not publishing any services, don't allow any inbound traffic. As a minimum, you would probably need to allow outbound on TCP ports 53 (dns zone xfer), 80 (web), 443 (secure web), 25 (smtp), 110 (pop3), and UDP port 53 (dns query) Then, keep an eye on the firewall's logs that tell you what traffic from the internal network was blocked, and decide if you need to allow that too. Examples might be TCP ports 22 (ssh), 23 (telnet) and 3389 (rdp), depending on the external systems you access.
Good stuff, thanks.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
-
Oh my, but you comedians are just coming out of the woodwork today, aren't you? :)
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
I get that all the time when I post a question :)
If the post was helpful, please vote, eh! Current activities: Book: Devils by Fyodor Dostoyevsky Project: Hospital Automation, final stage Learning: Image analysis, LINQ Now and forever, defiant to the end. What is Multiple Sclerosis[^]?
-
My previous firewall died today, after years of serving honorably. Services will be held this afternoon near the trash can that will be its final resting place. In setting up the new one, I thought I'd look into firewall settings in more detail to lock it down more than the default but (hopefully) without shooting myself in the foot in terms of day to day software hassles from over protection. Anyone know of good online reading for basic firewall port configuration for those of use who aren't network engineers? I don't want to make a career of this, but I suspect there are some common sense Dos and Don'ts.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
Here are some do's: 1- Don't forget to add antispoofing rules on the external interface. Anything (inbound) that is with a source address from the firewall or the internal network should be dropped silently. 2- Log everything that is destined to any firewall interface from the Internet. This will help detect if your firewall got hacked at some point or if someone is doing a DoS attack. 3- Run the least amount of services on your firewall. And don't: 1- Enable DNS lookups to just any DNS server. Only the DNS server from your ISP should be allowed. 2- Route private networks.
-
My previous firewall died today, after years of serving honorably. Services will be held this afternoon near the trash can that will be its final resting place. In setting up the new one, I thought I'd look into firewall settings in more detail to lock it down more than the default but (hopefully) without shooting myself in the foot in terms of day to day software hassles from over protection. Anyone know of good online reading for basic firewall port configuration for those of use who aren't network engineers? I don't want to make a career of this, but I suspect there are some common sense Dos and Don'ts.
Christopher Duncan www.PracticalUSA.com Author of The Career Programmer and Unite the Tribes Got a career question? Ask the Attack Chihuahua!
Somewhere I should have some good papers on how to set up a firewall using Solaris, I used them to build a coroprate firewall using some AIX boxes we already happened to have. Can't give you any links but a search around Sun's site should find. Mine are about 15 years old and on paper, but I don't think that much has changed, except maybe the availability of NAT routers with DHCP. If you use the AIR firewall it'll be the only brick you'll need in that wall. :)
Multi famam, conscientiam pauci verentur.(Pliny)