Re: What should I block out with my new firewall software?

From: Lisa (noreply_at_noreply.com)
Date: 02/14/04 

Date: Fri, 13 Feb 2004 22:48:09 -0500

On 2/13/2004 9:13 PM, Bob Ladbury wrote:
> After much deliberation, it looks like I'm sticking to my good ol'
> Kerio Personal Firewall v2.15. I still don't know much about net
> communications, but I'm learning by entering configurations from
> people like SpongeBob. I'm wondering if there are major things I can
> block out that I don't use or need, like UDP or TCP. Reason I ask is
> that I believe I'm getting "pinged"; one of my rules is telling me
> that a couple of different remote addresses are trying to use XP's
> "Generic Hosts Processes for Win32 Services" at local ports
> 2265,2266,2267 through the TCP out protocol. At the same time, I'm
> also getting warnings I don't understand from XP's SYSTEM, UDP IN and
> TCP IN at ports 135-139. I got the W32 blaster worm yesterday that
> went through port 135, so for all I know, this could be local worm
> activity or attempts from outside hackers to penetrate these ports.
> Hence the reason I'd like to block ALL UDP and TCP, if I can get away
> with it, and tell Kerio to eliminate whatever other net services I
> don't need. I don't know what these protocols are used for, but here's
> what programs I use on my HOME system, that access the net:
>

I block all incoming traffic trying to use SYSTEM with no problems, and
I've seen other people's kerio configurations that do the same. I also
block all incoming trying to use Genetic Host Processes and File and
Printer Sharing, though I let Generic Host processes have outgoing
traffic. I believe that Kerio 2.1.5 comes with some preset rules (like
allow DNS, ICMP, etc) that are good to keep around. I don't fully
understand them, however, so I can't explain why all of those rules are
good to have. I also don't know what to do to specifically disallow
blaster. I think most firewalls come able to do that by default.

> - Web
> - Email
> - P2p
> - occasionally software that needs to be updated

As for the specific things you use, here are some rules you can set:

For all browsers:
Allow TCP (out) any remote address, remote ports 80, 8080, 8010, 443, 21
Allow TCP (out) remote address 127.0.0.1, any remote ports
Allow TCP (in) any remote address, remote port 20
IE may require you to allow TCP and UDP.

For all mail clients:
Allow TCP (out) any remote address, remote ports 110, 995, 119, 25
Allow TCP (out) remote address 127.0.0.1, any remote ports

FTP programs (other than servers):
Allow TCP (out) any remote address, remote port 21
Allow TCP (in) any remote address, remote port 20

Most software (Norton, windows media player, quicktime, etc etc etc):
Allow TCP (out) any remote address, remote port 80
Depending on the software (like Norton, that only accesses certain
update sites) you can specify a remote address or a range of addresses,
but I can't tell you what those are.

This "most software" category does NOT include things like AOL/AIM,
which use port 5190 for most needs, and others if you're doing things
like file transfers.

P2P: This is a very different animal, because it involves opening more
TCP in. Sometimes the program will allow you to specify what port you
want to start at or a range of ports you want to use when using the
downloading program. I'm less familiar with this so I'll let someone
else handle it.

> What I DON'T use or want to use is:
>
> - Microsoft's web updates
> - local home networks
> - file/printer sharing (already turned off)

Web updates, as far as I know, are downloaded the same way that anything
else on the web is, using IE and its standard web ports, like 80 or 443.
Now, if you don't want the web update PROGRAM to access the internet,
just completely disallow TCP/UDP out the next time it tries to contact
microsoft. Or just disable it. You can do that I think if you right
click "my computer" and look under one of its tabs for windows updates.

I don't know what you mean by local home networks.

> ...and a bunch of other stuff I can't think of. Do I need MS's
> "svchost"? It runs like a half dozen processes in the background, and
> really gobbles up memory and keeps bothering my firewalls.

It depends. svchost is used by a lot of programs, some of which you need
and some of which you don't. The only thing you can do about them is to
disable the program in question, because there's no way in the firewall
to tell which svchosts are the ones that you want. Check out
http://www.blackviper.com/WinXP/servicecfg.htm for more info on this.

Relevant Pages

  • Re: Hash for IP address pairs
    ... hash of the remote/local IP address and remote/local port. ... the remote IP addresses tend to have a high variance, ... medium variance, ... and p the remote port, ...
    (sci.crypt)
  • Re: maximum simultaneous network connections
    ... uniquely "named" by the four-tuple of local and remote IP address, ... local and remote port number, and every concurrent TCP connection ...
    (comp.os.linux.networking)
  • Re: Problems with Win XP Remote Desktop Connection on a Workgroup
    ... > Remote Desktop Console!!! ... > seems you cant specify the remote port, ... I rarely use TSWeb (esp. ...
    (microsoft.public.windowsxp.work_remotely)
  • Possible Trojan?
    ... Blocked an outgoing TCP packet. ... The remote port was 2234. ... The network adapter for the ...
    (alt.computer.security)
  • RE: XP + SP2 + SMS 2.0 = DISASTER!!
    ... (SMS Components don't install in the control panel.) ... >> TCP 2701 Remote Information ... >> TCP 2704 File Transfer ...
    (microsoft.public.windowsxp.network_web)