The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [OT] Firewall configuration...


  • To: <ukha_d@xxxxxxx>
  • Subject: RE: [OT] Firewall configuration...
  • From: "Mark Hetherington" <mark.egroups@xxxxxxx>
  • Date: Thu, 27 Dec 2001 18:37:37 -0000
  • Delivered-to: mailing list ukha_d@xxxxxxx
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

> I'm planning to add a default rule which blocks EVERYTHING, then add
> specific rules to open up individual ports/services as
> required... (is this
> the best configuration?)

Yes definitely.

Additionally, when opening ports and services, define application rules
rather than system rules to avoid rogue programs finding a valid open port
to use. E.g. "Allow YourFTPProgram to use 21 and 20" but not
"allow YourPC
to use 20 and 21".

Finnaly, if available use stealth rather than rejection notices for
attempted access.

> Looking for any "gotchya's" from those of you who've done
this, -
> are there
> any port numbers I should leave open that I might not have
> considered?

It depends completely on what incoming and outgoing connections you want.
e.g.

FTP needs 21 and 20. Some FTP servers may try to use other pseudo ports.
A number of internet services will poll 113 for AUTH (e.g. IDENT from IRC).
Usenet uses 119, but for secure usenet you would usually use 563.
HTTP(s) will be 80 and/or 8080. There are some variants which use 81 and
8081 (usually 'security through obscurity' services on systems like Cobalt
RAQs).
IRC usually operates on 6667, but some servers allow 6660-6669 and 7000 or
only one from that selection. IRC sometimes insists on the presence of an
IDENT server on port 113 to allow a connection.

The best way is, as you originally stated, to start completely closed
(preferably with stealth rather than brodcasting rejection notices). Then
open stuff only as and when required on an app by app basis. Apart from
little used apps, you should have a comprehensive ruleset after only a few
hours general use.

If you can not persuade the hardware router to give logs/errors on ports
that you want to track, download Norton Internet Security trial version.
That will give you a 30 day software firewall which can be configured to
accounce every single access inbound and outbound. If nothing else, it will
be a good "assistant" to setup the hardware firewall rules.

> (What
> port does MSN Messanger use?)

IIRC MSN Messenger can be "persuaded" to operate completely
through Port 80.
Avoid ICQ since by the time you have opened all the ports it wants you may
as well disable the firewall.

HTH.

Mark.



Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.