Re: Ports 256,257,258 open on FW-1

[Dave Whitlow <dwhitlow () wend dircon co uk>]

On Fri, 11 Dec 1998, Chris Brenton wrote:

> John Lauderdale wrote:

> > I notice that ports 256,257,and 258 are open when our Firewall-1 is
> > portscanned.

> > Does anyone know what FW-1 uses these ports for?

> You are looking at the control connection ports for Firewall-1. This is
> enabled by default under Policies-->Properties. The full set includes:
> TCP/256 - 259 and 261
> UDP/260 (SNMP)
> TCP/18,181 - 18,184
> IP Type=94 (IP within IP encapsulation)

> > Should those ports be visible from the Internet?

> Unfortunately, they are by default. This is why I advocate disabling
> control connections under Policies-->Properties and accepting
> connections through your rule set only. This prevents people from even
> attempting to connect to these ports from a hostile location.

And whilst you're doing this I suggest you check out the other bad
defaults in policy/properties.  Chances are you're allowing icmp, dns (udp
& zone), rip and other things through.  You may even be offering your snmp
info (either NT or FW-1 mib). 

As someone else noted, about 9/10 FW-1 installations look like this.  I
always advise you switch off all these defaults and then add rules to
allow the things you *really* need.


Cheers,

Dave
-------------------------------------------------------------------------
Dave Whitlow                            Tel: +44-(0)181-861-2001
Idsec Ltd                               Fax: +44-(0)181-861-3433
Suite A, 31-33 College Road,            Mail: dwhitlow () idsec co uk
Harrow, HA1 1EJ, UK                     Web:  http://www.idsec.co.uk