Re: Firewall & Port Questions
From: Jean-Francois Messier (jfmessier_at_gmail.com)
Date: 11/11/04
- Next message: Justins local account: "Re: Header manipulation...?"
- Previous message: Alan Strassberg: "Re: recommendation for vpn"
- In reply to: stephane nasdrovisky: "Re: Firewall & Port Questions"
- Next in thread: <©¿©>: "Re: Firewall & Port Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Nov 2004 14:47:02 -0500
stephane nasdrovisky wrote:
> Jason Turner wrote:
>
>> What ports should I NOT block that would still allow web browsing?
>
>
> If web = http:
>
> It depends! you may need tcp port 80 (some web servers do not use the
> assigned port 80, which mean you may have to allow ... any port if you
> want to surf test/non standard servers) and udp+tcp port 53 (probably
> only to your isp's dns server, for name resolution) if you surf directly
> (no proxy).
> If you're using a proxy, you'll need to allow the proxy port (could be
> tcp 8080) to your provider's proxy.
>
> These are outbound traffic, make sure you also allow back traffic (from
> the servers to you)
My view on this always has been to block all non-standard ports, and
open when required AND JUSTIFIED. Depends on your business rules and
politics. You could also have an internal cache DNS running on a cheap
Linux box and allow ONLY THIS BOX to use 53/udp. Some firewalls also can
act as a cache DNS.
JF
- Next message: Justins local account: "Re: Header manipulation...?"
- Previous message: Alan Strassberg: "Re: recommendation for vpn"
- In reply to: stephane nasdrovisky: "Re: Firewall & Port Questions"
- Next in thread: <©¿©>: "Re: Firewall & Port Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
