Firewall Wizards mailing list archives
RE: Which ports to allow NT domain controllers ...?
From: "Stefan Norberg" <stnor () sweden hp com>
Date: Mon, 28 Aug 2000 08:05:15 +0200
Chris, You need to ask yourself *why* and not *how* you want run NetBT (NetBIOS over TCP/IP) through a Firewall. Since *everything* in NT is multiplexed in NetBIOS/SMB (EventViewer, Server Manager, Browsing, Domain logons et.c. et.c) a Firewall would add very little security if you allow NetBIOS through it. Often there are alternative solutions; dual-homed hosts with NetBT unbound for the external interface would add some additional security if you don't connect the whole perimeter on the back-end. Personally, I think the only safe option if to shut down SMB/NetBIOS on a bastion host. If you just want to be able to admin the systems there's a bunch of hints on how to do this (w/o NetBT using SSH/VNC or Terminal Services) in an upcoming O'Reillly book "Securing Windows NT/2000 Servers for the Internet" (out in November or so). Stefan Norberg stnor () sweden hp com
-----Original Message----- From: firewall-wizards-admin () nfr net [mailto:firewall-wizards-admin () nfr net]On Behalf Of Ariel Sent: den 27 augusti 2000 08:09 To: firewall-wizards () nfr net Cc: puetzc () yahoo com Subject: RE: [fw-wiz] Which ports to allow NT domain controllers ...? Since it seems no one likes NT on this list - I'll take the challenge of helping.... Before you start opening ports and making all crazy rules on you firewall, it most important to make sure you have adequate name resolution (and I don't mean DNS stile). All machines should be able to find PDCs and other "special" machines (like master browser etc.). For this purpose you should use WINS, or if you have a small network you can use the LMHOSTS file (don't forget that the #PRE #DOM:YOURDOMAIN are case sensitive!!). All this is needed since broadcasts don't pass the firewall (it being a router and so...), and after all you want NT NetBIOS operational. On the firewall you should have all NBT ports open (137,138 UDP 139 TCP) to the direction you wish open. Should you wish other types of communication open other then NBT and SMB you should have them opened separately. Ariel www.sys-security.com Because Security Is Not Trivial. -----Original Message----- From: Chris [mailto:puetzc () yahoo com] Sent: Saturday, August 26, 2000 5:29 PM To: firewall-wizards () nfr net Subject: [fw-wiz] Which ports to allow NT domain controllers ...? Which ports do I need to open to allow all needed NT domain controller packets to go through (updates to domain, browsing, etc.) a firewall? All my boxes are NT - no Unix. Any help is appreciated! Thanks! Chris __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Which ports to allow NT domain controllers ...? Chris (Aug 26)
- <Possible follow-ups>
- RE: Which ports to allow NT domain controllers ...? Ariel (Aug 27)
- RE: Which ports to allow NT domain controllers ...? Stefan Norberg (Aug 28)
- Re: Which ports to allow NT domain controllers ...? Jeffery . Gieser (Aug 28)