[rescue] firewalling windoze crap
Daniel de Young
daniel at velvetsea.com
Sat Aug 16 20:25:04 CDT 2003
On Mon, 2003-08-11 at 04:23, Phil Schilling wrote:
> On Sat, 16 Aug 2003 19:58:42 -0500
> "Jonathan C. Patschke" <jp at celestrion.net> wrote:
> > On Sat, 16 Aug 2003, Dave McGuire wrote:
> > > What ports do I need to block on my firewall to protect him from
> > > this
> > > latest bullshit? And what ports in general should I block to help
> > > protect his machine?
> > UDP and TCP ports 135 - 139 (RPC, DCOM, NetBIOS).
> > UDP and TCP port 445 (SMB)
> > UDP and TCP port 522 (User-location protocol)
> > UDP port 3389 (Remote Desktop)
> > TCP ports 5800 - 5999 (WinVNC)
> > That's a good start, anyway. I feel like I'm leaving something out.
> If Dave is running NetBSD with IPFilter as I suspect, and
> IPFILTER_DEFAULT_BLOCK is in the compiled kernel and you are only
> allowing the standard outgoing connections, http, httpd, smtp, pop3, etc
> you should be safe. I have 40+ NetBSD firewalls out there running such
> a setup, most in front of WinBloze networks and did not have a single
> compromised machine. When I set up my firewalls the only incoming ports
> are from my machines to port 22 and any few ports that they may need
Fine and dandy until somebody plugs a laptop with the worm in behind
your firewall. heh
I had good luck this time too. I had a lot of false positives because
enery "little" problem "must be that worm", but nothing solid yet.
I think this is mainly due to broadcast communication with my clients
about the "laptop" factor. Gave time for their "office computer guys"
to install desktop patches! "No laptops plugged into the network until
it has been tested patched!" and "Catch them at the front desk!"
(...knock on formica)
More information about the rescue