Re: Firewal Rules

To: "Eric N. Valor" <eric.valor@lutris.com>
Cc: "Cassandra Ludwig" <illiath@bigpond.net.au>, "Debian - Firewall" <debian-firewall@lists.debian.org>
Subject: Re: Firewal Rules
From: "Dan Hutchinson" <hutchinsond@zdnetonebox.com>
Date: Fri, 18 May 2001 08:40:39 -0400
Message-id: <[🔎] 20010518124039.SYNK20166.mta07.onebox.com@onebox.com>

I would like to point at for a start, most of these Instant Messenger,
ICQ and other services have settings that will work with firewalls. 
They will use defined ports that you can open in your firewall, but I
agree with a Security Policy would have to be setup so that the questions
of which of these services will be beneficial and allowed and which are
just fun nick-nacks.

---- "Eric N. Valor" <eric.valor@lutris.com> wrote:
> 
> I had a very similar problem when trying to help set up a SOHO as a
> 
> favor.  This person wanted good security, but also wanted to be able
> to do 
> Internet phone stuff and the gamut of Instant Messenger crap.  After
> much 
> wrangling and explanation until I was blue in the face I finally got
> them 
> to "understand" the rather marginal security stance and opened up whole
> 
> blocks of UDP so they could have their services.
> 
> Windows machines and the types of services folks like to run on them
> are 
> typically the antithesis of good firewalling practices.  Your question
> goes 
> beyond the technical issue and into the esoteric and subjective realm
> of 
> determining an acceptable security stance for your network.
> 
> For what you've described, you'll need to determine on which range
> of ports 
> these services listen (UDP/TCP/both?) and then arrange your IPChains/Tables
> 
> rules accordingly, starting with the default DENY policy and then allowing
> 
> in the ranges as desired.
> 
> Again, be careful - all of the "fun" Net services care not a whit about
> 
> security.
> 
> At 08:49 AM 5/18/2001 +1000, Cassandra Ludwig wrote:
> >I have an interesting little problem here.
> >
> >I want to as a default REJECT all packets from my firewall's external
> >interface, and then allow in only certain packets.  I have already
> written
> >rules to allow in the services I am running on the firewall (like
> http,
> >http-secure, smtp, imap, pop3, etc.), however it seems that I need
> to add in
> >a never-ending list of ports to allow the windows machines behind
> the
> >firewall full access to their response packets.  My biggest concern
> with
> >that is that with some of them (ICQ for one) the ports are more often
> than
> >not dynamic...  My real question here is, how would I go about allowing
> the
> >windows machine(s) behind the firewall to receive full responses from
> the
> >internet without returning the firewall back to it's previous default
> state
> >of ACCEPT.  There are so many ports under 1024 that I want to block
> off from
> >external use, and I do not personally feel like blocking all 1010
> (or
> >whatever) ports manually.
> >
> >Regards,
> >     Cassandra
> >
> >
> >
> >
> >--
> >To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> >with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> --
> Eric N. Valor
> Webmeister/Inetservices
> Lutris Technologies
> eric.valor@lutris.com
> 
> - This Space Intentionally Left Blank -
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

___________________________________________________________________
To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com

Reply to:

Follow-Ups:
- Re: Firewal Rules
  - From: "Robert Davies" <Rob_Davies@NTLWorld.Com>
- Re: Firewal Rules
  - From: Bryan Voss <bvoss@vosswerx.com>

Prev by Date: Re: How do you proxy?
Next by Date: Re: Firewal Rules
Previous by thread: Re: Firewal Rules
Next by thread: Re: Firewal Rules
Index(es):
- Date
- Thread