Firewall Wizards mailing list archives
Re: screen and choke network config
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 28 May 2002 18:20:32 -0400 (EDT)
On Tue, 28 May 2002, Dave Piscitello wrote:
I have just upgraded from a lame DSL bridged configuration to a routed configuration. I have an access router that can packet filter. Behind this I have a public IP subnet on which I run between 4-6 firewalls and VPN appliances. I'd like to process all syslog messages from the access router and firewalls at a server behind one of the firewalls, and so would open 514 inbound on the firewall (for a list of FWs), and block 514 inbound on the access router. This is done and is working nicely. I realized looking through my logs that I can save duplicate log entries if I packet filter annoying inbound TCP/UDP/ICMP types at the access router. Since all the firewalls will have a default deny all inbound policy (except the one firewall that allows http), I'd set the access router in an inverse manner to "allow anything but stuff I don't want duplicate log entries for". I wonder what beyond the following list you might add. These are the ports I most frequently see in my last 3 months' logs... 23 telnet 69 tftp 79 finger 111 sunrpc 137, 138, 139 msft noiseBOIS 161, 162 snmp, trap 194 irc 512-514 remote exec, login, shell
depending upon the OS's you are running, port 111 might not be ehough to block. I have a linux system, that after a number of reboots I have been able to glean these related ports, tcp/udp require some blocking: rpc1="111 635 680 683 684 686 687 698 699" rpc2="700 701 702 703 704 886 887 889 2049" additionally, I block these specifics, due to a number of other OS's including windows or various versions inside: nbios="135:139" winfr="1080 1090 1433 1900 5000" Of course, due to other problems and to track scans I also block these: lownast="7 19 59 79 107 177 161 162 445 515" hinast="12345 12346 16660 18753 20034 20433 24452 27347 31337" tellog="23 513 514" ftpc="21" ftpd="20" xwin="6000:6010" ssh is only allowed now inside from specific hosts, and adds a tad bit of control over those allowed to connect to machines behind the perimiter. I have additional specific blocks placed for certain machines for specific services I only allow to the insie network too.. But, always for full safe measures I block the tcp as well as the udp counter parts of ports, unless there's a specific reason not to. Hope this helps, Thanks, Ron DuFresne
I still want to see how my doorknob's being rattled, I just want to minimize the number of times I see any individual "rattle". David M. Piscitello Core Competence, Inc. & 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com 843.689.5595 www.corecom.com hhi.corecom.com/~yodave/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- screen and choke network config Dave Piscitello (May 28)
- Re: screen and choke network config R. DuFresne (May 29)
- Re: screen and choke network config Luca Berra (May 29)
- <Possible follow-ups>
- Re: screen and choke network config Kevin Johnson (May 30)
- Re: screen and choke network config Dave Piscitello (May 31)