Re: [fw-wiz] Firewall best practices

From: Andre Lima <andreflima@xxxxxxxxx>
Date: Sun, 21 Mar 2010 10:00:59 +0000

Hi jas,

Actually, it's not about the ports to block, but the ports to allow. That's assuming you're using a drop/deny all policy, which frankly you should.
But even with the deny all policy, there should be a few basic packets you should drop:
1. (if you're using iptables) drop invalid state packets
2. make sure you restrict ICMP trafic and never allow echo requests to get in (avoiding smurf attacks) or any broadcast traffic for that matter.
3. don't allow IP packets with options to get in. these are usually used by hackers to make spoofed packets go back to them (ip header length must be 5!)
4. mitigate spoofing or LAND DoS attacks by denying inside traffic with source IP adresses from private networks (192.168.0.0/16, etc)
5. (this is usually default modern OS behaviour but) make sure you mitigate TCP syn flood attacks with (usually OS supported) TCP cookies.
This should be the least the firewall should do.

--
André Lima
Cisco Certified Network Associate - CCNA
http://pwp.net.ipl.pt/alunos.isel/28838/

On 3/20/10 4:54 PM, Jason Lewis wrote:

I was configuring a new firewall and was setting up rules to block
things like SMB and known trojan port and remote access client. It
got me thinking that the process would be quicker if I had a list
recommended ports/apps to block.

Is anyone aware of such a list. Best practices for ports to block
seems like something that would exists, but I haven't had any luck in
my search.

jas
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

References:
- [fw-wiz] Firewall best practices
  - From: Jason Lewis

Prev by Date: [fw-wiz] Call for papers: ISP-10, USA, July 2010
Next by Date: Re: [fw-wiz] Firewall best practices
Previous by thread: [fw-wiz] Firewall best practices
Next by thread: Re: [fw-wiz] Firewall best practices
Index(es):
- Date
- Thread

Relevant Pages

Re: [fw-wiz] Firewall best practices
... That is all good, but, the current trend tends to be for established/related from the inside to be allowed, thus there can be reasons to have blocks in place, to close off problematic ports even from the inside. ... But even with the deny all policy, there should be a few basic packets you should drop: ... make sure you restrict ICMP trafic and never allow echo requests to get in (avoiding smurf attacks) or any broadcast traffic for that matter. ... make sure you mitigate TCP syn flood attacks with TCP cookies. ...
(Firewall-Wizards)
Re: Babysitting on iptables requested :-)
... Here's the list of ports that I see probed then I take the "Probe my ... this was a friendly probe; all packets were TCP SYNs - ... SYN is a packet that is used to initiate a TCP connection. ... >> between Windows machines, so without this a Windows machine in your ...
(comp.os.linux.security)
Re: Political Analysis of Security Products
... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
(Pen-Test)
Re: Network traffic monitor app
... switch in the router to connect equipment together. ... So for traffic from a workstation to the internet it goes from the ... packets sent and the second the number of dud packets. ... one or more ports. ...
(comp.sys.mac.misc)
RELENG_6_3 ping and DUP packets
... duplicate packets when pinging the upgraded machine. ... <ACPI PCI bus> on pcib0 ... usb0: USB revision 1.0 ... 2 ports with 2 removable, ...
(freebsd-stable)