Re: Firewal Rules
I would like to point at for a start, most of these Instant Messenger,
ICQ and other services have settings that will work with firewalls.
They will use defined ports that you can open in your firewall, but I
agree with a Security Policy would have to be setup so that the questions
of which of these services will be beneficial and allowed and which are
just fun nick-nacks.
---- "Eric N. Valor" <firstname.lastname@example.org> wrote:
> I had a very similar problem when trying to help set up a SOHO as a
> favor. This person wanted good security, but also wanted to be able
> to do
> Internet phone stuff and the gamut of Instant Messenger crap. After
> wrangling and explanation until I was blue in the face I finally got
> to "understand" the rather marginal security stance and opened up whole
> blocks of UDP so they could have their services.
> Windows machines and the types of services folks like to run on them
> typically the antithesis of good firewalling practices. Your question
> beyond the technical issue and into the esoteric and subjective realm
> determining an acceptable security stance for your network.
> For what you've described, you'll need to determine on which range
> of ports
> these services listen (UDP/TCP/both?) and then arrange your IPChains/Tables
> rules accordingly, starting with the default DENY policy and then allowing
> in the ranges as desired.
> Again, be careful - all of the "fun" Net services care not a whit about
> At 08:49 AM 5/18/2001 +1000, Cassandra Ludwig wrote:
> >I have an interesting little problem here.
> >I want to as a default REJECT all packets from my firewall's external
> >interface, and then allow in only certain packets. I have already
> >rules to allow in the services I am running on the firewall (like
> >http-secure, smtp, imap, pop3, etc.), however it seems that I need
> to add in
> >a never-ending list of ports to allow the windows machines behind
> >firewall full access to their response packets. My biggest concern
> >that is that with some of them (ICQ for one) the ports are more often
> >not dynamic... My real question here is, how would I go about allowing
> >windows machine(s) behind the firewall to receive full responses from
> >internet without returning the firewall back to it's previous default
> >of ACCEPT. There are so many ports under 1024 that I want to block
> off from
> >external use, and I do not personally feel like blocking all 1010
> >whatever) ports manually.
> > Cassandra
> >To UNSUBSCRIBE, email to email@example.com
> >with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
> Eric N. Valor
> Lutris Technologies
> - This Space Intentionally Left Blank -
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com