Hello All, is it good to DROP all packets coming from net to other zones, like dmz, loc & fw? or should I REJECT Here is my Policy for packets from net: net $FW DROP info net loc DROP info net dmz DROP info net all DROP info all all REJECT info For all other zones, including loc to net I REJECT all packets and add rules accordingly. Also, how do I watch which port is opening when a request is made from local to net? I have given only Web/ACCEPT from local to net in rules but my MSN messenger still connects to net. Please advise and I appreciate your help. Thanks, DK ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thu, 2006-07-20 at 14:08 -0400, Dubba Kor wrote:> Hello All, is it good to DROP all packets coming from net to other > zones, like dmz, loc & fw? or should I REJECT > > Here is my Policy for packets from net: > net $FW DROP info > net loc DROP info > net dmz DROP info > net all DROP info > > all all REJECT info > > For all other zones, including loc to net I REJECT all packets and add > rules accordingly.I prefer to drop unwanted connections from the net because it makes your system/network less visible on the net and slows down port scans.> > Also, how do I watch which port is opening when a request is made from > local to net? I have given only Web/ACCEPT from local to net in rules > but my MSN messenger still connects to net.That''s normal -- MSN messenger can use port 80. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep escribió:> On Thu, 2006-07-20 at 14:08 -0400, Dubba Kor wrote: >> Also, how do I watch which port is opening when a request is made from >> local to net? I have given only Web/ACCEPT from local to net in rules >> but my MSN messenger still connects to net. > > That''s normal -- MSN messenger can use port 80. > > -TomYes and : # TCP port 1863 # TCP port 6901 (possibly) # TCP ports 6891 to 6900. # UDP on ports 1503, 3389, 5004-65535 good luck ;-) ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV