Re: Firewall best practices

[Andre Lima <andreflima () gmail com>]

Hi jas,

Actually, it's not about the ports to block, but the ports to allow. 
That's assuming you're using a drop/deny all policy, which frankly you 
should.
But even with the deny all policy, there should be a few basic packets 
you should drop:
1. (if you're using iptables) drop invalid state packets
2. make sure you restrict ICMP trafic and never allow echo requests to 
get in (avoiding smurf attacks) or any broadcast traffic for that matter.
3. don't allow IP packets with options to get in. these are usually used 
by hackers to make spoofed packets go back to them (ip header length 
must be 5!)
4. mitigate spoofing or LAND DoS attacks by denying inside traffic with 
source IP adresses from private networks (192.168.0.0/16, etc)
5. (this is usually default modern OS behaviour but) make sure you 
mitigate TCP syn flood attacks with (usually OS supported) TCP cookies.
This should be the least the firewall should do.

--
André Lima
Cisco Certified Network Associate - CCNA
http://pwp.net.ipl.pt/alunos.isel/28838/


On 3/20/10 4:54 PM, Jason Lewis wrote:
> I was configuring a new firewall and was setting up rules to block
> things like SMB and known trojan port and remote access client.  It
> got me thinking that the process would be quicker if I had a list
> recommended ports/apps to block.
>
> Is anyone aware of such a list.  Best practices for ports to block
> seems like something that would exists, but I haven't had any luck in
> my search.
>
> jas
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>    

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards