Archived from groups: comp.security.firewalls (
More info?)
On Fri, 2 Apr 2004 15:09:49 +0200, GJ spoketh
><quote who="Lars M. Hansen">
>>> We are implementing desktop firewall for all our users. Do anyone has
>>> the most restrictive rules for:
>>> 1. client mapping network drive (client: Win98, Win2K, WinXP; server:
>>> Win2K, Linux Samba)
>>> 2. client joining AD domain and the communication between them.
>
>> You need to allow:
>>
>> 53/UDP/TCP (dns)
>> 68/UDP (dhcp)
>> 88/TCP/UDP (kerberos)*
>> 135/TCP (dcom/rpc)*
>> 137-139/UDP/TCP (netbios)
>> 389/TCP (ldap)
>> 445/TCP/UDP (netbios)
>> 464/TCP/UDP (kpasswd)*
>> 500/TCP/UDP (isakmp)*
>
>Which remote ports do i need to allow?
>For example, I allow TCP/UDP incomming localport 138 but does the remote
>port also need to be 138 or can it be any port?
Netbios connections uses any local port higher than 1024
>I am particullary interested in the ports 135, 137-139, 445 for the
>networkdrives and shares. (Blaster used 135 i thought, so how do i allow
>management traffic but disallow other traffic?).
MS-Blaster and other worms that exploited the DCOM vulnerability did use
port 135. The only way to protect your LAN from internal spreading of
MS-Blaster type worms are to patch your systems and/or disable DCOM.
Remote management uses RPC, not DCOM, so you're still good to go on
that.
>
>(p.s. there is a router at the top of my network that blocks these ports
>to/from the *evil* internet, so it's just for a local net here).
>
>Another thing, I always assumed DNS uses only UDP. I'm not an expert, so i
>can be wrong, but do i really need to open TCP for DNS?
There's little harm in allowing or disallowing DNS over TCP. It's is not
very common that this is used, it happens only when the answer are to
large to fit in one packet or when performing a zone transfer.
>
>Thanks,
>
>Gertjan
>
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)