Re: Firewall setup

• Previous message: dave kleiman: "RE: Patching a Firewall"
• In reply to: Gaz Wilson: "Firewall setup"
• Next in thread: irado furioso com tudo: "Re: Firewall setup"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Gaz Wilson <dragon@dragons.org.uk>, security-basics@securityfocus.com
Date: Tue, 16 Sep 2003 01:33:53 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Gaz,

usually you do it the other way 'round. That is by allowing the sort of
traffic that fits your needs and requirements.
Depending on what you do and which services you use, the ports 25 (smtp), 53
(nameserver), 80 (http), 110 (pop3) and 443 (https) are common.

Please take account of the source and destinations, since rules and filter may
depend on that. When talking about "return connections" (so-called related
and established traffic), I suppose you're talking about stateful firewalls
like iptables. There are different kinds of firewall technologies (packet
filter, stateful firewalls and proxy firewalls, or combinations of these). So
your setup will differ regarding the type chosen.

However, the default policy should be deny or drop, depending on the software
chosen. Thus just allowed traffic will traverse your firewall and everything
else will be dropped. I guess, this is what's crossing your mind when talking
about a proactive approach.

If you're about to connect more than one workstation or server to the
internet, you'll need to use NAT (sometimes called PAT).

As you say, you don't want to block all outgoing traffic, which is a easy to
use but no secure way. You can adopt that to your firewall when defining the
filters. Something like block all outgoing broadcasts, traffic with a source
OR destination port of 135-139 or 445. If you're running MacOS based
computers within your environment you should drop afs (Apple file sharing)
traffic as well.
You're appropriate incoming ruleset will just allow new connections to
well-defined services or already related or established traffic.

Kindest Regards,
Sebastian

On Monday 15 September 2003 17:33, Gaz Wilson wrote:
> Hi all,
>
> I'm about to get *DSL in my village, and I am going to want to operate
> a firewall naturally. I know about blocking all incoming ports bar
> any service I want to run and "return connections", but with the
> increase in worms et al flying around (mixed network, UNIX and
> Windows (prob 2k)), it strikes me that being a bit more proactive
> and blocking certain outgoing ports would be a good idea. I don't
> need any MS based traffic leaving the private network, so I wanted to
> ask the specialists, you lot, what your opinions are of what would be a
> fairly secure set of ports to block to help stop info leakage etc?
> (I don't want to block all outgoing except for known services though, as
> the uses of the boxes on the network may vary and I don't want to have to
> reconfig the firewall quite that often :) )
>
> TIA
>
> Gaz

- --

Sebastian Schneider
straightLiners IT Consulting & Services
Metzer Str. 12
13595 Berlin
Germany

Fon: +49-30-3510-6168
Fax: +49-30-3510-6169
www.straightliners.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/ZkxhQ7mOWZBxbPcRAsCgAJ9ESQ6hNUWlb3acKUJxcHuFcrbyTwCg0vwv
dqhkimyu6uAGDUJbiCMrnPY=
=XnFj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

• Previous message: dave kleiman: "RE: Patching a Firewall"
• In reply to: Gaz Wilson: "Firewall setup"
• Next in thread: irado furioso com tudo: "Re: Firewall setup"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]