[rescue] firewalling windoze crap

Ido Dubrawsky ido at dubrawsky.org
Sat Aug 16 21:07:33 CDT 2003

On Sat, Aug 16, 2003 at 03:03:12PM -0500, rescue-request at sunhelp.org wrote:
> Date: Sat, 16 Aug 2003 15:31:02 -0400
> From: Dave McGuire <mcguire at neurotica.com>
> Subject: [rescue] firewalling windoze crap
> To: rescue at sunhelp.org
> Message-ID: <2C292845-D020-11D7-B669-000393970B96 at neurotica.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>    Hey folks.  I have a neighbor connecting through my network.  He's 
> running Windoze.
>    What ports do I need to block on my firewall to protect him from this 
> latest bullshit?  And what ports in general should I block to help 
> protect his machine?
>           Thanks,
>            -Dave
> --
> Dave McGuire                 "You don't have Vaseline in Canada?"
> St. Petersburg, FL                     -Bill Bradford
> ------------------------------


  Does he need any ports open for inbound services?  It also depends on your
firewall.  If it's a stateful firewall, just deny all inbound services to his
box (good stateful firewalls /should/ be able to identify traffic that is part 
of an established connection).  If it's not a stateful firewall, you'll need
to explicitly allow inbound access from DNS so that he can resolve addresses 
and you'll need a rule allowing for established TCP connections.  And, if he
must have some ICMP capabilities, you'll need to allow for echo-reply inbound,
and TTL-exceeded (for traceroute).  Most everything else can be dropped.  It
looks kind of like this (in Cisco ACL format):

permit udp any eq 53 host xx.xx.xx.xx (for DNS resolution)
permit udp any eq 123 host xx.xx.xx.xx (for NTP time synch)
permit tcp any host xx.xx.xx.xx established (for TCP connections from his box)
permit icmp any host xx.xx.xx.xx echo-reply (for ICMP ping to work)
permit icmp any host xx.xx.xx.xx ttl-exceeded (for traceroute to work)
deny ip any any log

That's pretty restrictive.  If he needs ports open for inbound services then
be sure to deny traffic to TCP/UDP 135, 137, 138, 139, 445, and 593.  I'd also
be VERY suspicious of his needs if he's putting a Winbloze box out on the net.
If he wants a web server, ask him if you could host it on one of your systems.

Just my .02

Ido Dubrawsky, CISSP           			E-mail:  ido at dubrawsky.org
Network Security Architect				idubraws at cisco.com
500 Hermleigh Rd
Silver Spring, MD. 20902
(301) 651-5441 (cell)

More information about the rescue mailing list