Post #116,130
8/31/03 8:01:56 PM
|
Recently started experimenting with router rules
Have an adsl conn to Internet & a Wi-Fi access point with 4-port hub plugged into the adsl modem.
This w/e took the time to start applying filtering in the Wi-Fi router.
Basically I connected to Gibson Research (www.grc.com) & used his 'Shields-Up' to probe my ports. I used his port table to check what was in stealth mode & what the purpose of particular ports is now.
I have filtered out 137-139 & about 10 others such as 445 etc:.
Does anyone have a base 'rule-of-thumb' for filtering ports. Also am looking at what ports I need to block for out going traffic.
What I am not clear on is if there are special ports used such as whan a DNS is contacted etc:
Any links clues would be appreciated.
Cheers
Doug Marker
|
Post #116,131
8/31/03 8:05:39 PM
|
In general...
...My rules start with "shut down everything and then open only what you know you're using." Go from there.
-YendorMike
[link|http://www.hope-ride.org/|http://www.hope-ride.org/]
|
Post #116,154
9/1/03 12:21:37 AM
|
what he said, open what you need ending with a deny all
America, Love it or give it back
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
|
Post #116,172
9/1/03 3:46:10 AM
|
Re: Recently started experimenting with router rules
Doug wrote:
Does anyone have a base 'rule-of-thumb' for filtering ports.
Sure. Run an operating system where you only run the network daemons you wish to run, can choose whether to make them bind to localhost only or to outside interfaces as well, and where you can easily turn them on/off, determine what's running and why, and substitute different implementations if you don't trust the current one.
If any of those things isn't true -- and in particular if you cannot reasonably control what network services are exposed to outside -- then you're not running a reasonable operating system, and should start your work there.
Fortunately, any modern microcomputer operating system will do fine. Take your pick: *BSD, Mac OSX, or Linux.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #116,187
9/1/03 9:50:58 AM
|
You could probably block everything.
Everything except replies, that is, presuming you weren't hosting anything. Though If you were intending to connect to IRC, you probably want requests to Ident to be denied rather than blocked. IIRC, some IRC servers don't particularly like IRCers who won't ignore Ident requests.
For outbound, it depends how much you trust your network. Again, start with nothing and the open up what you need. HTTP is 80 (usually), but there are sites on odd ports; 81, 8000, 8080 and 8888 are common. DNS is 53. SMTP is 25. POP3 is 110, I think. I'm sure you could easily look up anything else you want. 137-139 is NBT (Microsoft networking) if you want to specifically block that.
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #116,268
9/1/03 9:21:08 PM
|
Re: You could probably block everything.
The suggestions so far seem ok - I have taken the approach to close 'infamous' ports, then open if needed.
But at the moment I seem to get messages that my OS can't communicate with a.b.c.d (DNS). I didn't actually think I had shut off port 53 but even that is incoming to a DNS (isn't it) ?
I seem to be able to get to most web sites ok.
Cheers Doug
|
Post #116,302
9/2/03 4:02:12 AM
|
Haven't seen that one.
Some DNS servers respond to port 53, but they're not supposed to do that to DNS queries. That would be the only thing I could think of.
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #116,304
9/2/03 4:20:30 AM
|
Eh?
Wade wrote: Some DNS servers respond to port 53, but they're not supposed to do that to DNS queries.I would bloody well hope they all do. \nuncle-enzo:/tmp# lsof -i TCP:53\nCOMMAND PID USER FD TYPE DEVICE SIZE NODE NAME\nnamed 31711 root 10u IPv4 427044 TCP localhost:domain (LISTEN)\nnamed 31711 root 12u IPv4 427046 TCP linuxmafia.com:domain (LISTEN)\nnamed 31712 root 10u IPv4 427044 TCP localhost:domain (LISTEN)\nnamed 31712 root 12u IPv4 427046 TCP linuxmafia.com:domain (LISTEN)\nnamed 31713 root 10u IPv4 427044 TCP localhost:domain (LISTEN)\nnamed 31713 root 12u IPv4 427046 TCP linuxmafia.com:domain (LISTEN)\n\nnamed 31714 root 10u IPv4 427044 TCP localhost:domain (LISTEN)\nnamed 31714 root 12u IPv4 427046 TCP linuxmafia.com:domain (LISTEN)\nnamed 31715 root 10u IPv4 427044 TCP localhost:domain (LISTEN)\nnamed 31715 root 12u IPv4 427046 TCP linuxmafia.com:domain (LISTEN)\nuncle-enzo:/tmp#\n Rick Moen rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #116,305
9/2/03 4:29:51 AM
|
Sorry, I mis-typed.
I meant some DNS servers make a response back to port 53, rather than back to the port the connection came in on. English vagaries aside, I'm probably mis-remembering something the O'Reilly book. :-)
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #116,306
9/2/03 4:29:52 AM
|
Sorry, I mis-typed.
I meant some DNS servers make a response back to port 53, rather than back to the port the connection came in on. English vagaries aside, I'm probably mis-remembering something the O'Reilly book. :-)
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
