[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewal Rules

I would like to point at for a start, most of these Instant Messenger,
ICQ and other services have settings that will work with firewalls. 
They will use defined ports that you can open in your firewall, but I
agree with a Security Policy would have to be setup so that the questions
of which of these services will be beneficial and allowed and which are
just fun nick-nacks.

---- "Eric N. Valor" <eric.valor@lutris.com> wrote:
> I had a very similar problem when trying to help set up a SOHO as a
> favor.  This person wanted good security, but also wanted to be able
> to do 
> Internet phone stuff and the gamut of Instant Messenger crap.  After
> much 
> wrangling and explanation until I was blue in the face I finally got
> them 
> to "understand" the rather marginal security stance and opened up whole
> blocks of UDP so they could have their services.
> Windows machines and the types of services folks like to run on them
> are 
> typically the antithesis of good firewalling practices.  Your question
> goes 
> beyond the technical issue and into the esoteric and subjective realm
> of 
> determining an acceptable security stance for your network.
> For what you've described, you'll need to determine on which range
> of ports 
> these services listen (UDP/TCP/both?) and then arrange your IPChains/Tables
> rules accordingly, starting with the default DENY policy and then allowing
> in the ranges as desired.
> Again, be careful - all of the "fun" Net services care not a whit about
> security.
> At 08:49 AM 5/18/2001 +1000, Cassandra Ludwig wrote:
> >I have an interesting little problem here.
> >
> >I want to as a default REJECT all packets from my firewall's external
> >interface, and then allow in only certain packets.  I have already
> written
> >rules to allow in the services I am running on the firewall (like
> http,
> >http-secure, smtp, imap, pop3, etc.), however it seems that I need
> to add in
> >a never-ending list of ports to allow the windows machines behind
> the
> >firewall full access to their response packets.  My biggest concern
> with
> >that is that with some of them (ICQ for one) the ports are more often
> than
> >not dynamic...  My real question here is, how would I go about allowing
> the
> >windows machine(s) behind the firewall to receive full responses from
> the
> >internet without returning the firewall back to it's previous default
> state
> >of ACCEPT.  There are so many ports under 1024 that I want to block
> off from
> >external use, and I do not personally feel like blocking all 1010
> (or
> >whatever) ports manually.
> >
> >Regards,
> >     Cassandra
> >
> >
> >
> >
> >--
> >To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> >with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> --
> Eric N. Valor
> Webmeister/Inetservices
> Lutris Technologies
> eric.valor@lutris.com
> - This Space Intentionally Left Blank -
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com

Reply to: