March 4th, 2004 04:29 AM
I have seen a lot of threads about the best firewall but haven't heard that much about actual filtering rules. If there is already a thread you can point me there. I was wanting to hear from some of the security folks about the advanced rules that you have on your home PC. For example blocking ports 135-139 both incoming and outgoing traffic an all ports and protocols. I have a decent knowledge on what ports different protocols typically use but not quite sure what to block and what not to block. Right now on Sygate I am blocking all ICMP traffic, 135-139, 21 when not using FTP. Is it safe to block port 445? Whenever I do block 445 my internet does not work. If you could post some rules for me to help lock down my computer I would really appreciate it. Thanks
March 4th, 2004 05:33 AM
There isn't s specific set of ports that need to be blocked. The first thing to do is run Fport. http://www.foundstone.com/knowledge/proddesc/fport.html . This will show you your open ports and the applications/processes that opened them.
After you know what ports you need, figure out the ones you don't. If you don't know what services use a certain port, look it up here: http://www.iana.org/assignments/port-numbers
Figure out from here what you need to restrict.
BTW, Sygate is pretty good right out of the box.
Real security doesn't come with an installer.
March 4th, 2004 07:47 AM
March 4th, 2004 08:58 AM
You can achieve similar results as Fport by right clicking and choosing connection details from the running applications menu of Sygate. Sygate uses Stateful Packet Inspection so if a packet comming in does not match up with a request in the state table then its silently dropped any way. No need for advanced rules unless you are going to allow certain traffic through and want it to follow your specifications.
NetBIOS protection will protect any probes comming in from outside your gateway to all related ports (UDP ports 88, 137,138 and TCP ports 135,139,445,1026). If you have and do not trust your other LAN computers you can disable the ability of others to share your files from the Network Neighborhood tab and/or setup MAC address filtering.
Test your computers configuration if its acting as its own gateway with a web based portscan to get an idea what if any changes need to be made.
March 4th, 2004 09:01 AM
My ruleset is very simple:
Deny and Drop everything except for the ports I specify below. This way ALL ports are closed regardless except the ones I specify I want open, eliminating the ability for a virus/trojan to suddenly sprout up on a port I never thought of blocking.
After that, it's all about application control
March 4th, 2004 05:57 PM
It's free, it will do what you need it to. You can filter by ports, content, typing, protocols, whatever. heck you can even interface it with various modules floating around that actually look at content content... as in: 'what is the jpeg is of?', or 'what is the document is about?'
I think the only you'd find better would be Guantlet (which is based off of FWTK) or Sidewinder (which is based off, albeit more loosely, of LOCK likely the most secure system and the foundation of/inspiration for many of the most secure systems: SMG & AITS6), but both of these firewalls are pricey and although FWTK isn't really in the same leauge with those two, it is pretty much the closest to them.
March 5th, 2004 01:01 AM
Thanks for the excellent advice guys. I wasn't sure how important these advanced rules were but it makes me feel safer knowing that I am cutting down on possible ways for an attacker to get in. Later
March 5th, 2004 08:13 AM
I think that as a general rule, it's safest to drop all incoming things except where they're part of an existing connection (stateful firewall), then open up ports as required by your applications.
Some people also think it's a good idea to block some outgoing traffic too, but that is more of a matter of opinion. For a home user it shouldn't be necessary, because they should not have any unauthorised or unexpected apps on their machine.
I believe that application-level software firewalls are a waste of time because:
- Big overhead of having to click yes or no for applications being allowed to access the internet
- Potential DoS if you're not there to click it
- If you have a piece of malware on your machine, you have lost all hope of being secure anyway
These things are traditionally designed to combat unauthorised remote control programs (i.e. Remote access trojans) - yet they aren't entirely effective against them, but do cause all sorts of other grief.
March 16th, 2004 07:28 AM
The easiest way as pooh sun tzu mentioned is to deny all and allow the ports you want to get in. After that its all about application control. You would allow ports that the specific application would use. The other way is to physically disable services you do not need running on your system. that way services are not open even though they arent being used.
the best results is always a combination of sevral factors which would make your system less prone to attacks. Ideally a Home PC can have a F/W with application control, IDS, Anti virus. This is a good combo to reduce the bulk of the attacks. But on the other hand we should make sure we rigorously apply all relevant OS and application patches also.
March 16th, 2004 06:36 PM
Covert, here are some websites that have some basic firewall information for various firewalls.Mind you, some of these links are older than others but provide good information none the less.
This can be used with Outpost and they say other firewalls as well (it was designed by Agnitum) http://www.pcflank.com/fw_rules_db.htm
This is for Norton's Firewall
Some Sygate Firewall Basics
Some rules for Kerio
That's a few, I'm sure there's a crap load more I haven't found. anyways, good luck.
The object of war is not to die for your country but to make the other bastard die for his - George Patton