Re: [fw-wiz] Firewall best practices



Hi jas,

Actually, it's not about the ports to block, but the ports to allow. That's assuming you're using a drop/deny all policy, which frankly you should.
But even with the deny all policy, there should be a few basic packets you should drop:
1. (if you're using iptables) drop invalid state packets
2. make sure you restrict ICMP trafic and never allow echo requests to get in (avoiding smurf attacks) or any broadcast traffic for that matter.
3. don't allow IP packets with options to get in. these are usually used by hackers to make spoofed packets go back to them (ip header length must be 5!)
4. mitigate spoofing or LAND DoS attacks by denying inside traffic with source IP adresses from private networks (192.168.0.0/16, etc)
5. (this is usually default modern OS behaviour but) make sure you mitigate TCP syn flood attacks with (usually OS supported) TCP cookies.
This should be the least the firewall should do.

--
André Lima
Cisco Certified Network Associate - CCNA
http://pwp.net.ipl.pt/alunos.isel/28838/


On 3/20/10 4:54 PM, Jason Lewis wrote:
I was configuring a new firewall and was setting up rules to block
things like SMB and known trojan port and remote access client. It
got me thinking that the process would be quicker if I had a list
recommended ports/apps to block.

Is anyone aware of such a list. Best practices for ports to block
seems like something that would exists, but I haven't had any luck in
my search.

jas
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Firewall best practices
    ... That is all good, but, the current trend tends to be for established/related from the inside to be allowed, thus there can be reasons to have blocks in place, to close off problematic ports even from the inside. ... But even with the deny all policy, there should be a few basic packets you should drop: ... make sure you restrict ICMP trafic and never allow echo requests to get in (avoiding smurf attacks) or any broadcast traffic for that matter. ... make sure you mitigate TCP syn flood attacks with TCP cookies. ...
    (Firewall-Wizards)
  • Re: fastforward/routing: a 3 million packet-per-second system?
    ... Would a system where both processor QPI ports connect to each other ... Allows more interrupts ... I've found about 3 streams between Centos clients is about the best way ... packets errs idrops bytes packets errs bytes colls drops ...
    (freebsd-net)
  • fastforward/routing: a 3 million packet-per-second system?
    ... Would a system where both processor QPI ports connect to each other ... Allows more interrupts ... I've found about 3 streams between Centos clients is about the best way ... packets errs idrops bytes packets errs bytes colls drops ...
    (freebsd-net)
  • Re: Babysitting on iptables requested :-)
    ... Here's the list of ports that I see probed then I take the "Probe my ... this was a friendly probe; all packets were TCP SYNs - ... SYN is a packet that is used to initiate a TCP connection. ... >> between Windows machines, so without this a Windows machine in your ...
    (comp.os.linux.security)
  • Re: Political Analysis of Security Products
    ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
    (Pen-Test)