Re: Using IPSec to Lock Down a Server
From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 05/07/03
- Next message: Danny Sanders: "Re: access rights"
- Previous message: LP: "Re: access rights"
- In reply to: MB: "Re: Using IPSec to Lock Down a Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 07 May 2003 20:07:01 GMT
I believe you are right in your assumption or traffic is allowed out
but not back in from remote server because of effective deny inbound rule
that only allows a few specific ports to your server. I know specific rules
take precedence over general rules, no matter how they are ordered (which
makes it more confusing than typical firewall). Basically you have a block
all inbound, allow all outbound, and specific rules for a few inbound ports.
I would try to add a few specific mirrored rules for outbound port 80,443,
53 etc. to see if that works. --- Steve
"MB" <matt.b@%nospam%myrealbox.com> wrote in message
news:vbijdeqjvbfe2c@corp.supernews.com...
> Steven L Umbach wrote:
> > You will need to add some rules that allow outbound traffic if
you
> > want to browse web because yes rule will be mirrored unless you select
it
> > not to be, but that is for the better - that way you can select specific
> > ports allowed for oubound traffic instead of anything goes.
>
> Wouldn't a rule the rule mentioned below work? Or would it not because
> it is just the inverse of the deny rule and it doesn't contain anything
> more 'specific' than the blanket BLOCK?
>
> IPSECPOL -w REG -p "Internet Port Lockdown" -r "Outbound Traffic"
> -f *=0:TCP -n PASS -x
>
> > Add rules for at
> > least port 80 out and probably for ports 443 (https) and 53(dns -upd and
> > tcp). Ipsec is an added layer of protection, but IMHO a personal
firewall is
> > a better choice in that it allows logging and even controlling ports to
an
> > application - I like Kerio and it is free for personal use.
>
> I agree firewall would be better, but I figured I would give IPSEC a
> shot since it's mentioned on technet and doesn't cost anything. This
> server sits on a business DSL connection doing the "internet" related
> tasks for the small business workgroup.
>
> > By the way it is
> > best not to show your actual tcp/ip address - for instance everone knows
> > that you have terminal services listening for connection from
nyone. ---
> > Steve
>
> Point taken, but that port is only open long enough for me to get IPSEC
> in place anyway.. then I'm only leaving it open to the local lan subnet.
>
> >
> > http://securityadmin.info/faq.htm#firewall
>
- Next message: Danny Sanders: "Re: access rights"
- Previous message: LP: "Re: access rights"
- In reply to: MB: "Re: Using IPSec to Lock Down a Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
