[Dshield] new: Firewall log and rules
superc at visuallink.com
Thu Oct 2 15:31:24 GMT 2003
Bjorn, I didn't say I left them open. Read it again. I said I am debating
the wisdom of fully closing them. They were closed when I wrote the post
and still are. What I wanted to know was if those ports were/are of any
legitimate purpose to a home user. For several reasons I disagree with "I
think most people on this list block everything by default and only open
ports that they use."
First, many people getting the list are not computer professionals and some
have little idea what a port is and they are reading this in the hopes of
learning something. Some might not even have a firewall, much less know
about the existence of firewall rules. If they have a firewall it might be
one of the free ones that really doesn't allow them to close much of
anything. Been there, done that. Some here have commercial packages
costing beau coup bucks, degrees and MS and Cisco certifications and
multiple servers they run and are reading and writing here on company time.
Some have $50 firewalls someone gave them as a gift and a GED for
education and do this on their own from home at their own expense. Beyond
agreeing that most people here read English, there is way too much
diversity for an all encompassing statement like "most people here."
As far as "block everything by default" goes, that would be nice, but it is
my understanding there are about 65,000 port addresses on the average
Windows machine. That's a lot of port block rules to write. Possibly your
firewall allows the entry of port ranges. I don't think my version of
Norton does. I find myself forced to enter them one at a time. My sense
of how I should be spending my days doesn't allow me to make 65,000
entries. Clearly some are blocked by default by Norton or it wouldn't be
much of a firewall. Equally clear is some are not being closed or I
wouldn't be forced to write rules. Now when I search on Google for ports
and windows of the 30K or so replies most seem to deal with viruses, worms,
trojans, and something esoterical to all but Windows professionals, called
processes. Weird things like cisvc.exe, or cdac11ba.exe, or something
called protocols and tcp and udp, or MS-SQL-M (microsoft SQL Monitor) and
other useless data. Not what I (and possibly others) want or needed.
What I desire is a simple list of what ports Windows 95, 98, ME, and XP in
the home really need and why. If someone tells us oh, 1434 port is needed
for the SQL Monitor, without explaining what is an SQL, tells someone
nothing, beyond implying Windows really does need the port to be unblocked.
More informative would be; "SQL statements are used to perform tasks such
as update data on a database, or retrieve data from a database. Some common
relational database management systems that use SQL are: Oracle, Sybase,
Microsoft SQL Server, Access, Ingres, etc" and if you do that over the
internet you should keep the port (1434) open, but if you don't, then get
rid of it. Ports exist for a reason. 17300 is watched by some for
something obscure called SYN packets (which newbies need not worry about)
and is scanned by others seeking Kuang and SQL Slammer virus victims, but
what legitimate purpose does it serve and do we lose that when we block it?
It wasn't easy to dig out (of Google) 17300 is used as a commo port by
some wireless modems and motor vehicle (interstate shipments) tracking
software, but if you don't have that, don't worry about it. 901 is used by
LANs and software like Samba or Swat. A home user probably won't need it.
About blocking something called "Class A and B netblocks," Why not? That
is where the probes come from and they, being self important, or whatever,
have chosen not to respond to my consumer complaints or respond to my
polite emails, nor (apparently and most importantly) do anything about the
problem users sending hostile probes. If that is there attitude, then
firmly closing the door to them is mine. If I was a somebody and, if I had
enough clout at the FCC and the ICC and in the Senate, I would probably
order their licenses or whatever revoked as a consequence and pull them
from the net in the hopes that whoever ran their replacement would be more
responsible about tracking down problem machines. I don't, so simply
blocking them from my PC is the best I can do. Living "without the
information that vast range of ip addresses possesses" seems to be easy. I
have a dozen or so pages of bookmarked web pages in this PC, about 1400
links I think. I spent a few hours in the wee hours of yesterday AM
visiting them all. And, I did some online transactions and ran some Google
searches and visited dozens of web pages. Guess what? Not a single site
was blocked (although some seem to have expired in the past decade). Full
connectivity. Oh, I don't know, I might be missing a few unwanted
advertisements, but they are normally filtered out anyway. Perhaps the
kinds of sites I bookmark are too narrow minded, but given the number of
topics covered I doubt that is the problem. So much for the valuable
information in the vast range of ip addresses encompassed. Not replying
to, sending to, or receiving or even acknowledging the many probes I was
getting from that range does help prevent the compromise of my systems.
Based on that, I think blocking them out is a great idea and will play with
additions to the list.
Flame on sir, flame on.
IP professionals can stop here.
Since viewing your reply I obviously did some research on my own and found
http://www.ehugin.com/security/rfc/rfc1700.html which lists the original
intended purposes of the different ports. Clearly some ports are useless
to the Joe Sixpack home user. Many are assigned to obscure things like
"Network DataMover Requester" or "FODMS FLIP" which will themselves require
a Google search to see if they are somehow important, but at least the list
is a start. If others know of a site that lists the port numbers and what
specific programs (as opposed to useless terms like SQL and FODMS FLIP) use
what specific port numbers, that too would probably be helpful.
Subject: Re: [Dshield] new: Firewall log and rules
From: "Bjorn Stromberg" <bjorn at thechemistrylab.com>
Date: Wed, 1 Oct 2003 12:59:11 -0600
To: "General DShield Discussion List" <list at dshield.org>
You block an entire Class A netblock, 21 entire class B netblocks and yet
you leave unused ports with known vulnerablities open?
The goal of security is not to decrease the size of your logs, it's to
prevent the compromise of your systems. I think most people on this list
block everything by default and only open ports that they use. I think
blocking netblocks is a terrible idea, if you can live without the
information that vast range of ip addresses possesses that's entirely your
choice. *stifles the urge to flame further*
Mid-Continent Testing Laboratories, Inc.
"I note my firewall alerts have gotten much shorter since I told my PC to
not acknowledge, send or receive anything whatsoever from the Asia Pacific
range of IP numbers, i.e., 188.8.131.52 - 184.108.40.206. Also ruled out was
Comcast Cable Wireless in the 220.127.116.11 - 18.104.22.168 range and Qwest
in the 22.214.171.124 - 126.96.36.199 range. No discernible negative side
effects on connectivity or email from locking them out so far. I might
have something here. I am thinking of adding RR to the list. As this is a
standalone PC I am still debating the wisdom of fully closing the ports at
1434, 901, and 17300 as was done to 135 and 445. What do you all think?"
More information about the list