[Dshield] Closing ports
afrayer at frayernet.com
Thu Sep 11 00:41:59 GMT 2003
On Wed, 2003-09-10 at 18:38, Jon R. Kibler wrote:
> Exactly what firewall are you using?
Netopia R910 router
> The firewalls I am familiar with allow you to control access based upon:
> Incoming Packets
> Outgoing Packets
> Forwarded Packets
I get two out of three: I can forward or block packets inbound or
outbound, based on IP, protocol, or port.
> And within each of these categories, you can control access based upon protocol. Within each protocol, you have protocol-specific degrees of control. For example, with TCP, you call permit or deny access based upon whether it is an established session. Such capabilities generally eliminates the worry about ports > 1024.
Now that you mention it, I think I did see something about established
sessions: "Established TCP Conns. Only: Yes or No"
You suggest I set ports over 1023 as Yes?
> The usual (very general) rules are:
> Allow establishment of new incoming connections only on supported services
> Allow incoming responses to outgoing initiated sessions
> Block everything else incoming
> Block unsafe outgoing ports < 1024 (somewhat O/S dependent)
> Block unsafe outgoing protocols (ARP, RIP, etc.)
> Block forwarding
> Allow everything else outgoing
Much simpler than that, I'm afraid. I get to allow or block only on IP
addresses by protocol type and/or ports, but I get to specify source and
destination port values, and I can use simple logical operators to
define a port range, such as >1023, or =123. And there was the
established connections line I'd forgotten about. I suppose that was the
dynamic ports I'd been looking for.
> Naturally, you need to be more specific, and the above is not complete.
> Hope this gets you started and answers some of your questions.
Wonderful, actually. This, plus some thoughts given me out of channel,
makes me think I might yet be able to get some sleep one night.
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
If you would like to discuss an opportunity with me, please e-mail.
More information about the list