Re: screen and choke network config

["R. DuFresne" <dufresne () sysinfo com>]

On Tue, 28 May 2002, Dave Piscitello wrote:

> I have just upgraded from a lame DSL bridged configuration to
> a routed configuration.
>
> I have an access router that can packet filter.
>
> Behind this I have a public IP subnet on which I run between
> 4-6 firewalls and VPN appliances.
>
> I'd like to process all syslog messages from the access router
> and firewalls at a server behind one of the firewalls, and so would
> open 514 inbound on the firewall (for a list of FWs), and block
> 514 inbound on the access router. This is done and is working
> nicely.
>
> I realized looking through my logs that I can save duplicate log
> entries if I packet filter annoying inbound TCP/UDP/ICMP types
> at the access router. Since all the firewalls will have a default
> deny all inbound policy (except the one firewall that allows http),
> I'd set the access router in an inverse manner
> to "allow anything but stuff I don't want duplicate log entries for".
>
> I wonder what beyond the following list you might add. These
> are the ports I most frequently see in my last 3 months' logs...
>
>
> 23 telnet
> 69 tftp
> 79 finger
> 111 sunrpc
> 137, 138, 139 msft noiseBOIS
> 161, 162 snmp, trap
> 194 irc
> 512-514 remote exec, login, shell


depending upon the OS's you are running, port 111 might not be ehough to
block.  I have a linux system, that after a number of reboots I have been
able to glean these related ports, tcp/udp require some blocking:

rpc1="111 635 680 683 684 686 687 698 699"
rpc2="700 701 702 703 704 886 887 889 2049"


additionally, I block these specifics, due to a number of other OS's
including windows or various versions inside:

nbios="135:139"

winfr="1080 1090 1433 1900 5000"


Of course, due to other problems and to track scans I also block these:

lownast="7 19 59 79 107 177 161 162 445 515"

hinast="12345 12346 16660 18753 20034 20433 24452 27347 31337"

tellog="23 513 514"

ftpc="21"
ftpd="20"

xwin="6000:6010"


ssh is only allowed now inside from specific hosts, and adds a tad bit of
control over those allowed to connect to machines behind the perimiter.

I have additional specific blocks placed for certain machines for specific
services I only allow to the insie network too..  But, always for full
safe measures I block the tcp as well as the udp counter parts of ports,
unless there's a specific reason not to.


Hope this helps,

Thanks,

Ron DuFresne


> I still want to see how my doorknob's being rattled, I just
> want to minimize the number of times I see any individual "rattle".
>
> David M. Piscitello
> Core Competence, Inc. &
> 3 Myrtle Bank Lane
> Hilton Head, SC 29926
> dave () corecom com
> 843.689.5595
> www.corecom.com
> hhi.corecom.com/~yodave/
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards