Hi Lynn,
It depends how you configure your firewall system. I have my Smoothwall
Corporate version running, and it's integrated with a moduel called
SmoothAuth. Where every users will be given a user name and password.
Without keying in any user name & password, they can't do anything
browsing, Instant messaging or any P2P downloads.
Let's say User A, I allow him Port 80 only for browsing. I will still
have to open Port DNS Query for in return packet. Otherwise, many pages
will be Unknown Page, unless certain pages are caches by the Proxy Server.
Firewall system is to prevent your network being hack in. However, I
don't think that there is a firewall system that can give you a 100%
confirmation that no hackers can hacks in. However, as a Administrator,
we have to monitor the activities of the network traffic.
You may do a testing on it, without Opening DNS Port for your network,
you'll know the results, it returns very very slow.
Oh ya, if possible, please advice me on how can I turn my QT to run in a
safe port - SSL.
Cheers,
Gabriel
Lynn wrote:
Gabriel Lai,
The system works fine with those ports closed on the LAN firewall.
I just didnt want to block them if there was a reason for them to
be open.
Generally, you want to keep as many ports closed as possible.
Please keep in mind - opening ports on a firewall tends to be done
to allow the world in. Its not done to allow traffic out. But of
course I'm talking basic router/firewall equipment.
The more expensive stuff requires specifically allowing traffic in
either direction. Too much work as far as Im concerned.
DNS seems too much of a security threat to me. It hands out
information. Info that theres no need for the world to know. Same
is true for the Windows file sharing ports.
All this came about because Ive had to set up the qmail toaster's
internal firewall by hand. At first, I opened all the ports found
in the firewall.sh script.
In all the times that I installed Q.T. (while I was learning it),
every time I ran the firewall.sh script from the website, it
killed all traffic in and out of the box.
My server only has one nic, and its all just standard hardware.
Dont know why the iptables set by the script prevents all traffic.
I think its the script...
I even close the 110 tcp pop3 port now, since I can use the 995
ssl pop3 port with my wonderful toaster.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
