RE: [fw-wiz] RE: Help w/ Port 137 Traffic

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 10/13/02

• Next message: Devdas Bhagat: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Previous message: R. DuFresne: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• In reply to: Stefan Norberg: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: Stefan Norberg: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Reply: Stefan Norberg: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Frank Knobbe <fknobbe@knobbeits.com>
To: Stefan Norberg <stefan@orbisec.com>
Date: Sun Oct 13 22:31:01 2002

On Sun, 2002-10-13 at 12:52, Stefan Norberg wrote:
> I tend to build firewall rulebases that does the following (don't know
> if this is common practice/knowledge out there):
>
> 1) Accept rules for traffic to the firewall device itself go first (such
> as ssh, fw-gui).
> 2) Explicit drop for all other traffic to the firewall device.
> 3) General accept rules (ordered by system - high volume stuff first).
> 4) Silent drop of some stuff that just fills up the logs and add litte
> value, such as udp/137. Drop certain internal ip's that scans the
> internal network all the time. And so on.
> 5) Drop and log everything else.
>
> In general you don't want to use block/reject, since it sends out a TCP
> RST (for TCP) or ICMP port unreach for UDP. An example where you would
> you block/reject is to avoid timeouts for valid traffic such as identd.

Stefan,

I build mine very similar to you, with one exception. Any traffic from
the inside net that the firewall is supposed to block, I'm REJECTing.
That way internal devices don't 'hang' waiting for a timeout. Everything
coming in from the outside still gets DROPPED though. But I do prefer to
send a RST to hosts on the inside.

Regards,
Frank

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Devdas Bhagat: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Previous message: R. DuFresne: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• In reply to: Stefan Norberg: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: Stefan Norberg: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Reply: Stefan Norberg: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: recommendation:firewall ... > I'd be grateful for a recommendation for a firewall device ... How cheap is "cheap"? ... different subnets for it to act as a router, ... (uk.comp.sys.mac) Re: Security Hole: Windows Internet Connection Firewall ... > Firewall enabled, hiding you from all the nasties out there. ... properly configured firewall device, the outbound traffic might not be ... and would only be able to contact your infected computer by having the ... Server, file/sharing ports would not be permitted outbound, and only ... (alt.computer.security) Re: Ignorant to new broadband service, PLEASE HELP???? ... but using a software firewall can make sense if 1) you're a home user ... software firewall in addition to a firewall device is probably better than ... (microsoft.public.security) Re: [fw-wiz] Firewall Solution - 50 Users on SDSL Connection ... > firewall device that does the following: ... Pretty easy to do with a packet filter. ... A simple proxy would be squid for http traffic. ... (Firewall-Wizards)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint