Re: Firewal Rules
I had a very similar problem when trying to help set up a SOHO as a
favor. This person wanted good security, but also wanted to be able to do
Internet phone stuff and the gamut of Instant Messenger crap. After much
wrangling and explanation until I was blue in the face I finally got them
to "understand" the rather marginal security stance and opened up whole
blocks of UDP so they could have their services.
Windows machines and the types of services folks like to run on them are
typically the antithesis of good firewalling practices. Your question goes
beyond the technical issue and into the esoteric and subjective realm of
determining an acceptable security stance for your network.
For what you've described, you'll need to determine on which range of ports
these services listen (UDP/TCP/both?) and then arrange your IPChains/Tables
rules accordingly, starting with the default DENY policy and then allowing
in the ranges as desired.
Again, be careful - all of the "fun" Net services care not a whit about
At 08:49 AM 5/18/2001 +1000, Cassandra Ludwig wrote:
I have an interesting little problem here.
I want to as a default REJECT all packets from my firewall's external
interface, and then allow in only certain packets. I have already written
rules to allow in the services I am running on the firewall (like http,
http-secure, smtp, imap, pop3, etc.), however it seems that I need to add in
a never-ending list of ports to allow the windows machines behind the
firewall full access to their response packets. My biggest concern with
that is that with some of them (ICQ for one) the ports are more often than
not dynamic... My real question here is, how would I go about allowing the
windows machine(s) behind the firewall to receive full responses from the
internet without returning the firewall back to it's previous default state
of ACCEPT. There are so many ports under 1024 that I want to block off from
external use, and I do not personally feel like blocking all 1010 (or
whatever) ports manually.
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com
Eric N. Valor
- This Space Intentionally Left Blank -