I had a very similar problem when trying to help set up a SOHO as a favor. This person wanted good security, but also wanted to be able to do Internet phone stuff and the gamut of Instant Messenger crap. After much wrangling and explanation until I was blue in the face I finally got them to "understand" the rather marginal security stance and opened up whole blocks of UDP so they could have their services.
Windows machines and the types of services folks like to run on them are typically the antithesis of good firewalling practices. Your question goes beyond the technical issue and into the esoteric and subjective realm of determining an acceptable security stance for your network.
For what you've described, you'll need to determine on which range of ports these services listen (UDP/TCP/both?) and then arrange your IPChains/Tables rules accordingly, starting with the default DENY policy and then allowing in the ranges as desired.
Again, be careful - all of the "fun" Net services care not a whit about security.
At 08:49 AM 5/18/2001 +1000, Cassandra Ludwig wrote:
I have an interesting little problem here.
I want to as a default REJECT all packets from my firewall's external
interface, and then allow in only certain packets. I have already written
rules to allow in the services I am running on the firewall (like http,
http-secure, smtp, imap, pop3, etc.), however it seems that I need to add in
a never-ending list of ports to allow the windows machines behind the
firewall full access to their response packets. My biggest concern with
that is that with some of them (ICQ for one) the ports are more often than
not dynamic... My real question here is, how would I go about allowing the
windows machine(s) behind the firewall to receive full responses from the
internet without returning the firewall back to it's previous default state
of ACCEPT. There are so many ports under 1024 that I want to block off from
external use, and I do not personally feel like blocking all 1010 (or
whatever) ports manually.
Regards,
Cassandra
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-- Eric N. Valor Webmeister/Inetservices Lutris Technologies eric.valor@lutris.com - This Space Intentionally Left Blank -