Re: Would these firewall rules work for me?

From: bensmyth (noreply_at_test.com)
Date: 03/31/05 

Date: Thu, 31 Mar 2005 17:07:44 +0100

> I'm relatively new to firewalls, etc, but I now have broadband, a
> router, and consequently a hardware firewall.
>
> I don't run any services on my PC with the exception of VNC, and have a
> NAT on the firewall to allow this to work.
>
> Given this, would the following set of rules for my firewall work, or
> would I "break" something I need?
>
> 1. Block all incoming tcp traffic to ports <1024
> 2. Block all non-established incoming tcp traffic to ports >1023 (w/
> exception of VNC's port)
> 3. Block all outgoing tcp traffic from ports <1024
>
> Also, would the same set of rules for udp be appropriate?

Your going about things the wrong way!!

Deny everything, unless you explicitly require it.

eg.
src, s_port, dest, d_port, permission, comment
*, *, *, 80, allow, //Allow HTTP
*, *, *, >=1024, allow, //Allow responses to unprivileged ports
*, *, *, *, deny, //default deny

You will of course have to add rules for everything else...
FTP, SMTP, DNS are all musts hence
*, *, *, 20, allow, //FTP
*, *, *, 21, allow, //FTP
*, *, *, 25, allow, //SMTP
*, *, *, 53, allow, //DNS

Please don't take everything I say as given!! I am just learning this stuff
myself, hopefully someone will confirm what I have said (backing up what I think
I know....)

Regards,

Ben

Relevant Pages

  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... list and exception is allowed (of coz tight to the scope of your exception ... inetinfo.exe without any port restriction..... ... I decided to try adding a port 21 in the firewall exception list just to ... I found this on the inetinfo thingy, but he unchecks the FTP service from ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... Bernard Cheah ... FTP service is listed, it should be bi-directional. ... I'm confuse as well:) between the advanced tab and exception tab. ... I decided to try adding a port 21 in the firewall exception list ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... FTP service is listed, it should be bi-directional. ... I'm confuse as well:) between the advanced tab and exception tab. ... I decided to try adding a port 21 in the firewall exception list ... when I entered a "dir" command at the client FTP prompt, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... add a welcome message to the ftp. ... Bernard Cheah ... list and exception is allowed (of coz tight to the scope of your ... I decided to try adding a port 21 in the firewall exception list ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... add program not add port. ... I'm confuse as well:) between the advanced tab and exception tab. ... port in the Exceptions and checking the FTP Server in the Advanced ... I decided to try adding a port 21 in the firewall exception list just to ...
    (microsoft.public.inetserver.iis.ftp)