[Dshield] Closing ports

Alan Frayer afrayer at frayernet.com
Thu Sep 11 00:41:59 GMT 2003


On Wed, 2003-09-10 at 18:38, Jon R. Kibler wrote:
> Exactly what firewall are you using?

Netopia R910 router

> The firewalls I am familiar with allow you to control access based upon:
> 	Incoming Packets
> 	Outgoing Packets
> 	Forwarded Packets

I get two out of three: I can forward or block packets inbound or
outbound, based on IP, protocol, or port.

> And within each of these categories, you can control access based upon protocol. Within each protocol, you have protocol-specific degrees of control. For example, with TCP, you call permit or deny access based upon whether it is an established session. Such capabilities generally eliminates the worry about ports > 1024.

Now that you mention it, I think I did see something about established
sessions: "Established TCP Conns. Only: Yes or No"

You suggest I set ports over 1023 as Yes?

> The usual (very general) rules are:
> 	Allow establishment of new incoming connections only on supported services
> 	Allow incoming responses to outgoing initiated sessions
> 	Block everything else incoming
> 	Block unsafe outgoing ports < 1024 (somewhat O/S dependent)
> 	Block unsafe outgoing protocols (ARP, RIP, etc.)
> 	Block forwarding
> 	Allow everything else outgoing

Much simpler than that, I'm afraid. I get to allow or block only on IP
addresses by protocol type and/or ports, but I get to specify source and
destination port values, and I can use simple logical operators to
define a port range, such as >1023, or =123. And there was the
established connections line I'd forgotten about. I suppose that was the
dynamic ports I'd been looking for.

> Naturally, you need to be more specific, and the above is not complete.

Naturally.

> Hope this gets you started and answers some of your questions.

Wonderful, actually. This, plus some thoughts given me out of channel,
makes me think I might yet be able to get some sleep one night.


________________________________________________________________________
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
If you would like to discuss an opportunity with me, please e-mail.





More information about the list mailing list