[Dshield] new: Firewall log and rules

Kenneth Coney superc at visuallink.com
Thu Oct 2 15:31:24 GMT 2003

Bjorn, I didn't say I left them open.  Read it again.  I said I am debating 
the wisdom of fully closing them.  They were closed when I wrote the post 
and still are.  What I wanted to know was if those ports were/are of any 
legitimate purpose  to a home user.  For several reasons I disagree with "I 
think most people on this list block everything by default and only open 
ports that they use."

First, many people getting the list are not computer professionals and some 
have little idea what a port is and they are reading this in the hopes of 
learning something.  Some might not even have a firewall, much less know 
about the existence of firewall rules.  If they have a firewall it might be 
one of the free ones that really doesn't allow them to close much of 
anything.  Been there, done that.  Some here have commercial packages 
costing beau coup bucks, degrees and MS and Cisco certifications and 
multiple servers they run and are reading and writing here on company time. 
  Some have $50 firewalls someone gave them as a gift and a GED for 
education and do this on their own from home at their own expense.  Beyond 
agreeing that most people here read English, there is way too much 
diversity for an all encompassing statement like "most people here."

As far as "block everything by default" goes, that would be nice, but it is 
my understanding there are about 65,000 port addresses on the average 
Windows machine.  That's a lot of port block rules to write.  Possibly your 
firewall allows the entry of port ranges.  I don't think my version of 
Norton does.  I find myself forced to enter them one at a time.  My sense 
of how I should be spending my days doesn't allow me to make 65,000 
entries.  Clearly some are blocked by default by Norton or it wouldn't be 
much of a firewall.  Equally clear is some are not being closed or I 
wouldn't be forced to write rules.  Now when I search on Google for ports 
and windows of the 30K or so replies most seem to deal with viruses, worms, 
trojans, and something esoterical to all but Windows professionals, called 
processes.  Weird things like cisvc.exe, or cdac11ba.exe, or something 
called protocols and tcp and udp, or MS-SQL-M (microsoft SQL Monitor) and 
other useless data.  Not what I (and possibly others) want or needed.

What I  desire is a simple list of what ports Windows 95, 98, ME, and XP in 
the home really need and why.  If someone tells us oh, 1434 port is needed 
for the SQL Monitor, without explaining what is an SQL, tells someone 
nothing, beyond implying Windows really does need the port to be unblocked. 
  More informative would be; "SQL statements are used to perform tasks such 
as update data on a database, or retrieve data from a database. Some common 
relational database management systems that use SQL are: Oracle, Sybase, 
Microsoft SQL Server, Access, Ingres, etc" and if you do that over the 
internet you should keep the port (1434) open, but if you don't, then get 
rid of it.  Ports exist for a reason.  17300 is watched by some for 
something obscure called SYN packets (which newbies need not worry about) 
and is scanned by others seeking Kuang and SQL Slammer virus victims, but 
what legitimate purpose does it serve and do we lose that when we block it? 
  It wasn't easy to dig out (of Google) 17300 is used as a commo port by 
some wireless modems and motor vehicle (interstate shipments) tracking 
software, but if you don't have that, don't worry about it.  901 is used by 
LANs and software like Samba or Swat.  A home user probably won't need it.

About blocking something called "Class A and B netblocks,"  Why not?  That 
is where the probes come from and they, being self important, or whatever, 
have chosen not to respond to my consumer complaints or respond to my 
polite emails, nor (apparently and most importantly) do anything about the 
problem users sending hostile probes.  If that is there attitude, then 
firmly closing the door to them is mine.  If I was a somebody and, if I had 
enough clout at the FCC and the ICC and in the Senate, I would probably 
order their licenses or whatever revoked as a consequence and pull them 
from the net in the hopes that whoever ran their replacement would be more 
responsible about tracking down problem machines.  I don't, so simply 
blocking them from my PC is the best I can do.  Living "without the 
information that vast range of ip addresses possesses" seems to be easy.  I 
have a dozen or so pages of bookmarked web pages in this PC, about 1400 
links I think.  I spent a few hours in the wee hours of yesterday AM 
visiting them all.  And, I did some online transactions and ran some Google 
searches and visited dozens of web pages.  Guess what?  Not a single site 
was blocked (although some seem to have expired in the past decade). Full 
connectivity.  Oh, I don't know, I might be missing a few unwanted 
advertisements, but they are normally filtered out anyway.  Perhaps the 
kinds of sites I bookmark are too narrow minded, but given the number of 
topics covered I doubt that is the problem.  So much for the valuable 
information in the vast range of ip addresses encompassed.  Not replying 
to, sending to, or receiving or even acknowledging the many probes I was 
getting from that range does help prevent the compromise of my systems. 
Based on that, I think blocking them out is a great idea and will play with 
additions to the list.

Flame on sir, flame on.

IP professionals can stop here.
Since viewing your reply I obviously did some research on my own and found 
http://www.ehugin.com/security/rfc/rfc1700.html which lists the original 
intended purposes of the different ports.  Clearly some ports are useless 
to the Joe Sixpack home user.  Many are assigned to obscure things like 
"Network DataMover Requester" or "FODMS FLIP" which will themselves require 
a Google search to see if they are somehow important, but at least the list 
is a start.  If others know of a site that lists the port numbers and what 
specific programs (as opposed to useless terms like SQL and FODMS FLIP) use 
what specific port numbers, that too would probably be helpful.

Subject: Re: [Dshield] new: Firewall log and rules
From: "Bjorn Stromberg" <bjorn at thechemistrylab.com>
Date: Wed, 1 Oct 2003 12:59:11 -0600
To: "General DShield Discussion List" <list at dshield.org>

You block an entire Class A netblock, 21 entire class B netblocks and yet
you leave unused ports with known vulnerablities open?

The goal of security is not to decrease the size of your logs, it's to
prevent the compromise of your systems. I think most people on this list
block everything by default and only open ports that they use. I think
blocking netblocks is a terrible idea, if you can live without the
information that vast range of ip addresses possesses that's entirely your
choice. *stifles the urge to flame further*

Bjorn Stromberg
Mid-Continent Testing Laboratories, Inc.

"I note my firewall alerts have gotten much shorter since I told my PC to
not acknowledge, send or receive anything whatsoever from the Asia Pacific 
range of IP numbers, i.e., -  Also ruled out was 
Comcast Cable Wireless in the - range and Qwest 
in the - range.  No discernible negative side
effects on connectivity or email from locking them out so far.  I might 
have something here.  I am thinking of adding RR to the list.  As this is a
standalone PC I am still debating the wisdom of fully closing the ports at
1434, 901, and 17300 as was done to 135 and 445.  What do you all think?"

More information about the list mailing list