RE: Secure Filters

Tue, 11 Jul 2000 10:40:51 -0400 (EDT) 

Create a filters similar to:

  #Block/nolog NETBIOS TCP access (PSN).
       Deny   "PSN" TCP  nolog
          from a.b.c.0/255.255.255.0
            to "ANY_IP" 135 139

  #Block/nolog NETBIOS TCP access (PRO).
       Deny   "PROTECTED" TCP  nolog
          from w.x.y.0/255.255.255.0
            to "ANY_IP" 135 139

  #Block/nolog NETBIOS UDP access (PSN).
       Deny   "PSN" UDP  nolog
          from a.b.c.0/255.255.255.0
            to "ANY_IP" 135 137 138

  #Block/nolog NETBIOS UDP access (PRO).
       Deny   "PROTECTED" UDP  nolog
          from w.x.y.0/255.255.255.0
            to "ANY_IP" 135 137 138

Where  a.b.c.0  is the PSN network address and
w.x.y.0  is the PRO network address.

I have done this using 4 filters because:
1.  This allows you to block/nolog NETBIOS traffic
    on the PRO and PSN while still logging NETBIOS
    traffic on the EXT
2.  NETBIOS takes some TCP ports and some UDP ports.
    If you specify a port number, you must also
    specify a protocol.


Mike Burden
Lynk Systems
(616)532-4985
[EMAIL PROTECTED]


> -----Original Message-----
> From: Dieter Lubbe [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 11, 2000 9:53 AM
> To: 'Michael W. Burden'; [EMAIL PROTECTED]
> Subject: RE: Secure Filters
>
>
> Any idea on how i can stop GNAT from generating an alarm
> everytime netbios tries to access port 137 on the firewall?
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Michael W. Burden
> Sent: Tuesday, July 11, 2000 2:58 PM
> To: Dieter Lubbe; [EMAIL PROTECTED]
> Subject: RE: Secure Filters
>
>
> --------------------- Attention -----------------------------
> Online GNAT Box User Forum is Now Open
> Click the Register link and sign up today
> http://www.gnatbox.com/cgi-bin/Ultimate.cgi
> -------------------------------------------------------------
> Send postings to: [EMAIL PROTECTED]
> Access the list archives at: http://www.gnatbox.com/gb-users/
> -------------------------------------------------------------
> The rather liberal use of "From Any IP to Any IP" in this filter
> set would make me more than a little nervous.
>
> The filters should be narrowed down to only allow connections to
> the IP Addresses (or aliases) that you intend for the services.
>
> That's about as specific as I can get without also seeing the
> tunnels, and possibly a list of servers on your network, what
> services they provide, and to whom they provide them.
>
> Mike Burden
> Lynk Systems
> (616)532-4985
> [EMAIL PROTECTED]
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Dieter Lubbe
> > Sent: Tuesday, July 11, 2000 7:36 AM
> > To: [EMAIL PROTECTED]
> > Subject: Secure Filters
> >
> >
> > --------------------- Attention -----------------------------
> > Online GNAT Box User Forum is Now Open
> > Click the Register link and sign up today
> > http://www.gnatbox.com/cgi-bin/Ultimate.cgi
> > -------------------------------------------------------------
> > Send postings to: [EMAIL PROTECTED]
> > Access the list archives at: http://www.gnatbox.com/gb-users/
> > -------------------------------------------------------------
> > Hi All,
> >
> > I inhereited a firewall at my new job and the previuos guy had it
> > set up as
> > follows,
> >
> > How secure are these filters?
> > Does anyone have an idea on how to improve on them?
> >
> > Cheers
> > Dieter
> >
> > FILTERS
> >   OUTBOUND
> >      1 #Full Access
> >        Accept "PROTECTED" ALL
> >           from "ANY_IP"
> >             to "ANY_IP"
> >
> >   REMOTE ACCESS
> >      1 #Allow web
> >        Accept ANY TCP
> >           from "ANY_IP"
> >             to "ANY_IP" 25 80 110 443 8888 77 1521
> >
> >      2 #DNS
> >        Accept ANY UDP
> >           from "ANY_IP"
> >             to "ANY_IP" 53
> >
> >      3 #Allow ping and traceroute
> >        Accept ANY ICMP
> >           from "ANY_IP"
> >             to "ANY_IP"
> >
> >      4 #Allow protected network access to WWW remote admin server.
> >        Accept "PROTECTED" TCP
> >           from 10.1.1.214/255.255.255.0
> >             to 10.1.1.1/255.255.255.255 8888
> >
> >      5 #Allow protected network access to RMC remote admin server.
> >        Accept "PROTECTED" TCP
> >           from 10.1.1.214/255.255.255.0
> >             to 10.1.1.1/255.255.255.255 77
> >
> > ----------------------------------------------
> > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > with "unsubscribe gb-users your_email_address
> > in the body of the message
> ----------------------------------------------
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe gb-users your_email_address
> in the body of the message

Reply via email to