[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: [OT] Firewall configuration... 1 of 2
- To: <ukha_d@xxxxxxx>
- Subject: RE: [OT] Firewall configuration... 1 of 2
- From: "Mark Harrison" <Mark.Harrison@xxxxxxx>
- Date: Thu, 27 Dec 2001 12:06:41 -0000
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
Paul,
You're absolutely right in the "best practice" for incoming
stuff.
You should always start from the basis that NOTHING is allowed EXCEPT
particular stuff you choose to let in.
However, you can start with a rule that allows ANYTHING _out_.
In my particular case (the office), I use Firewall-1, so my rules (which
in F-1's case are evaluated top to bottom [Note 1]) go something like:
- From: INTERNAL NETWORK
- To: Any
- Port: Any
- Action: Allow, don't log
- From: Any
- To: WEBSERVER
- Port: http, https
- Action: Allow, log long
- From: SPECIFIC IP ADDRESS OF DEVELOPMENT COMPANY WE USE
- To: WEBSERVER
- Port: ftp
- Action: Allow, log long
- From: Any
- To: Any
- Port: Any
- Action: REJECT
[1] Note to pedants. Yes, I _do_ understand the _whole_ of F-1 rule
evaluation order, but I don't use any of _that_ stuff ;-)
Mark Harrison
Head of Systems, eKingfisher
-----Original Message-----
From: Paul Gordon [mailto:paul_gordon@xxxxxxx]
Sent: 27 December 2001 11:53
To: ukha_d@xxxxxxx
Subject: [ukha_d] [OT] Firewall configuration...
OK chaps, time to get my firewall sorted out I guess....
Currently it's wide open, with just one rule (block all NetBIOS)
I'm planning to add a default rule which blocks EVERYTHING, then add
specific rules to open up individual ports/services as required... (is
this
the best configuration?)
Looking for any "gotchya's" from those of you who've done this, -
are
there
any port numbers I should leave open that I might not have considered?
(What
port does MSN Messanger use?)
Paul G.
_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com
For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe: ukha_d-subscribe@xxxxxxx
Unsubscribe: ukha_d-unsubscribe@xxxxxxx
List owner: ukha_d-owner@xxxxxxx
Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a pro-active anti-virus service working
around the clock, around the globe visit http://www.messagelabs.com/
Home |
Main Index |
Thread Index
|