Re: Firewall setup

[Sebastian Schneider <ses () straightliners de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Gaz,

usually you do it the other way 'round. That is by allowing the sort of 
traffic that fits your needs and requirements.
Depending on what you do and which services you use, the ports 25 (smtp), 53 
(nameserver), 80 (http), 110 (pop3) and 443 (https) are common.

Please take account of the source and destinations, since rules and filter may 
depend on that. When talking about "return connections" (so-called related 
and established traffic), I suppose you're talking about stateful firewalls 
like iptables. There are different kinds of firewall technologies (packet 
filter, stateful firewalls and proxy firewalls, or combinations of these). So  
your setup will differ regarding the type chosen.

However, the default policy should be deny or drop, depending on the software 
chosen. Thus just allowed traffic will traverse your firewall and everything 
else will be dropped. I guess, this is what's crossing your mind when talking 
about a proactive approach.

If you're about to connect more than one workstation or server to the 
internet, you'll need to use NAT (sometimes called PAT).

As you say, you don't want to block all outgoing traffic, which is a easy to 
use but no secure way. You can adopt that to your firewall when defining the 
filters. Something like block all outgoing broadcasts, traffic with a source 
OR destination port of 135-139 or 445. If you're running MacOS based 
computers within your environment you should drop afs (Apple file sharing) 
traffic as well.
You're appropriate incoming ruleset will just allow new connections to 
well-defined services or already related or established traffic.


Kindest Regards,
Sebastian

On Monday 15 September 2003 17:33, Gaz Wilson wrote:
> Hi all,
>
> I'm about to get *DSL in my village, and I am going to want to operate
> a firewall naturally.  I know about blocking all incoming ports bar
> any service I want to run and "return connections", but with the
> increase in worms et al flying around (mixed network, UNIX and
> Windows (prob 2k)), it strikes me that being a bit more proactive
> and blocking certain outgoing ports would be a good idea.  I don't
> need any MS based traffic leaving the private network, so I wanted to
> ask the specialists, you lot, what your opinions are of what would be a
> fairly secure set of ports to block to help stop info leakage etc?
> (I don't want to block all outgoing except for known services though, as
> the uses of the boxes on the network may vary and I don't want to have to
> reconfig the firewall quite that often :) )
>
> TIA
>
> Gaz

- -- 

Sebastian Schneider
straightLiners IT Consulting & Services
Metzer Str. 12
13595 Berlin
Germany

Fon: +49-30-3510-6168
Fax: +49-30-3510-6169
www.straightliners.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/ZkxhQ7mOWZBxbPcRAsCgAJ9ESQ6hNUWlb3acKUJxcHuFcrbyTwCg0vwv
dqhkimyu6uAGDUJbiCMrnPY=
=XnFj
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------