Re: firewall rules

Mon, 6 Mar 2000 08:28:11 -0800 

I normally block all _inbound_ access, except to ports I expressly allow: 
tcp/25, udp/53 + tcp/53 (with BIND config. restrictions on who can initiate 
zone transfers), tcp/80, and maybe one or two others, depending on our 
requirements.  Source ports on packets destined for these services are 
restricted to unpriviledged ports (1024:65535), except in the case of 
udp/53, in which I allow unrestricted (remote) source ports.  Inbound 
packets are restricted to the access granted above, plus response packets 
destined for unprivileged ports, coming from services expressly allowed in 
the outbound rules.

I typically restrict outbound access to specific services (tcp/80, tcp/21 
and a few others for clients, tcp/25, tcp/udp/53 for the firewall), and 
block source ports which are less than 1024, thus only allowing 
unpriviledged source ports for outbound access.  This is good to control 
exactly what is leaving your network, but depending on your requirement 
(home LAN vs client LAN) you may or may not want to allow all outbound access.

So, yes, it sounds like you're on a good start: deny everything, then open 
up only what you need.


At 03:34 PM 3/6/00 +0000, you wrote:
>Hi,
>We are going to using altavista firewall and proxy on a NT box. I know 
>that I sould
>close all other services on NT,
>change administration account name,
>block 6665-7000 for chat
>block all tcp/udp except 80.
>What else sould I do, for example what is BO trojan ports?
>Can somebody send port numbers and/or other things that sould I write to 
>my firewall.
>thanks.
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

-----------------------------------------------------------------
Jon Earle                       (613) 612-0946 (Cell)
HUB Computer Consulting Inc.    (613) 830-1499 (Office)
http://www.hubcc.ca             1-888-353-7272 (Within Canada/US)

"God does not subtract from one's alloted time on Earth,
those hours spent flying."       --Unknown

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to