Hello,
can anyone tell me what a generic site should filter out on its router
interfaces. Specially what be be blocked on the interface local
network/public-net. So of the protocols below we woul;d to block also on
some internal interfaces.
We plan even to play with a firewall in some segments of our
network. The network has one physical router with about 8 interfaces
making connection to subnets. Subnets have ethernet switches, partially
still have hubs. Clients use MS Windows 3.11, W95, W98, NT, use file
sharing SMBFS. However, in some segments we want to disable SMBFS, thus we
hope that filtering destination ports TCP/UDP 137, 138 would be
sufficient.
Can we filter out destination TCP/UDP 53 port? It seems that new BIND
implemetation don't use this priveleged port. In any way, can we safely
filter this out in the areas were no nameservers are physically connected?
We do not use rsh, rlogin etc. On few places we use nfs, so portmap and
nfs below will not be filtered out. Same with 9100 port. Otherwise, this
would be a general rule.
We also plan to block these:
service port num. type comments
echo 7 TCP/UDP
systat 11 TCP
netstat 15 TCP
bootp 67 UDP
tfpt 69 UDP
link 87 TCP
supdup 95 TCP
portmap 111 TCP/UDP filtered only where nfs
not needed
exec 512 TCP
login 513 TCP
who 513 UDP
shell 514 TCP
syslog 514 UDP
printer 515 UDP blocks connections to lpd from
remote?
route 520 UDP
uucp 540 UDP
openwin 2000 TCP
nsws-nexstep 178 TCP
nfs 2049 TCP/UDP
print 9100 TCP for HP-JetDirect cards
Do you have any more to add?
TIA
--
Martin Mokrejs - PGP 5.0i key at: finger://mail.natur.cuni.cz/mmokrejs
<mmokrejs_at_natur.cuni.cz> Faculty of Science, The Charles University
Received on Tue Jan 26 1999 - 13:20:58 NZDT