Although what ports you have open or blocked is important it is even more
important to be sure you know what you have listening on those ports. I
prefer to block all ports, open up ports for which my firewall gateway has
an acceptable proxy, and do without all the other traffic, whether UDP,
TCP, or other. This means that, even if some well-meaning internal user
starts a service on port A, no external user can connect to that port.
This applies to ports above 1024 as well as ports 1024 and below.
"Michael T. Babcock" <[EMAIL PROTECTED]> on 08/27/2000 02:44:33 PM
To: Delmer Harris/ASFMT@ASFMT
cc: "Brian J. Dyrehauge" <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: Newbie - Golden questions
Delmer Harris wrote:
> Warning - the following is tainted by opinion and bias.
>
> It's not only the port that has to be opened but also what is on the
other
> side listening at that port. IMNSHO there should be no port open unless
> you have a "hardened", "trusted" proxy listening and responding at that
> port. Exceptions to this hard rule should be made only under duress and
> threat of financial damage, and even then you should require
> official recognition of the increased risks presented by opening the
port.
> Your security policy (and mileage) may vary.
Does your statement apply only to ports < 1024? I have all ports blocked
except those above 1024, and then specifically reject packets to certain
ranges from the outside (like X's ports) because I insist on the use of
tunneling, like SSH's.
With the exception of certain firewall packages that use intelligent
methods
to open ports for returned packets, UDP-based user communication software
(among others) requires a looser firewall than above...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
