why do you say that? if your firewall is wide open maybe. if your firewall is tight, you need ports open. 25 for email, 80 for browsing, 21 for ftp, 22 for secure shell, etc.
ignt! whats up with you guys? here is a scenario winXP --> firewall -- Internet --> mikeysgayFW --> mikePronserver ------outbound open--------inbound open-----------------w00t pron -------ssh, 21, 80, etc-------ssh, 21, 80, etc---------------access gianed -------deny all----------------deny all---------------------access denied. What is so hard to understand about that?
You saying that you have to allow INBOUND, NOT OUTBOUND connections to YOUR MACHINE ... NOT HIS... on port 80 or 21. That's what! You said:- _____ 'In my real life config: Remote workstation --> Internet --> My home FW(443 open inbound) -- My webserver get it now?' _____ And that's WRONG! You don't need to allow inbound connections on ANY port unless you are running a server on it... NOT A CLIENT... a server!
thats what i was saying in the whole first place. I made 2 examples of my network and a MS network previously so i think that how you got confused. i see we are on the same page now. basically the ACK traffic is stateful
I'm still a bit worried that some people, having read this, will open up ports on their firewalls on 25 or 110, for example, if they can't get their email working properly and think it might be something to do with their firewall not being set up properly. Actually there ARE some, (very specific), conditions when it MAY be necessary to open a port but generally, as you know, people do not need to open up holes in their firewall to use a computer to access the internet. The answer is always to block all incoming traffic from the internet and only in very extreme circumstances open a port up and only THEN when you've checked absolutely everything else out AND asked someone more knowledgeable than yourself as to what it might and if he firewall might be causing a problem then, and only then, try,( for a brief period, i.e. minutes if possible), opening up the relevant hole in your firewall and see if it makes a difference. As you know, most problems with firewalls are nothing to do with the system itself and usually revolve around things like DNS resolution and suchlike.
http://cgi.ebay.com/Cisco-PIX-501-F...799180009QQcategoryZ64019QQrdZ1QQcmdZViewItem Code: PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password zNZB4a3pGhn.Bh.T encrypted passwd zNZB4a3pGhn.Bh.T encrypted hostname myPIX domain-name mydomain.com clock timezone CST -6 clock summer-time CDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list outside_acl permit icmp any any echo-reply access-list outside_acl permit icmp any any pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside 172.31.8.254 255.255.255.0 ip address inside 192.168.1.254 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.200.1-192.168.200.100 pdm logging notifications 100 no pdm history enable arp timeout 14400 global (outside) 1 172.31.8.100-172.31.8.199 netmask 255.255.255.0 global (outside) 1 172.31.8.200 netmask 255.255.255.0 nat (inside) 0 access-list nonat nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) 172.31.8.21 192.168.1.3 netmask 255.255.255.255 0 0 static (inside,outside) 172.31.8.22 192.168.1.5 netmask 255.255.255.255 0 0 access-group outside_acl in interface outside route outside 0.0.0.0 0.0.0.0 172.31.8.253 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local url-server (inside) vendor websense host 192.168.1.5 timeout 5 protocol TCP version 1 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt ipsec pl-compatible sysopt noproxyarp inside crypto ipsec transform-set strong esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set strong crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool local vpnpool outside isakmp policy 8 authentication pre-share isakmp policy 8 encryption des isakmp policy 8 hash md5 isakmp policy 8 group 1 isakmp policy 8 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup MDLVpnGroup address-pool vpnpool vpngroup MDLVpnGroup split-tunnel 90 vpngroup MDLVpnGroup idle-time 1800 vpngroup MDLVpnGroup max-time 86400 vpngroup MDLVpnGroup password ******** vpngroup GLvpn address-pool vpnpool vpngroup GLvpn idle-time 1800 vpngroup GLvpn password ******** vpngroup vpnusers address-pool vpnpool vpngroup vpnusers idle-time 1800 vpngroup vpnusers password ******** telnet timeout 5 ssh 172.31.3.56 255.255.255.240 outside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 client configuration address local vpnpool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username user1 password ********* vpdn enable outside terminal width 80 Cryptochecksum:a6155dab0cedfe2d61d3244e21aec6fc : end MyPIX# Done.
Well if only you'd have explained it as simply as that in the first place we could have saved ouselves a great deal of trouble
I install Check Point FireWall-1 for my clients. Those Israeli's know their stuff when it comes to security. They bought Zone Alarm recently btw, so I guess thats as good a solution as any to run on a Wintel box. If you're thinking of a Linux firewall check out SmoothWall, it'll run on any computer made in the last 10 years.
Of course, if you can run a small linux box solely as a firewall you're much safer to run application firewalls. I used to run a box which was only a 300Mhz Cyrix with 64Mb ram which ran squid for http, https and ftp tunneled through http, the SuSE ftp-proxy suite called, intriguingly, ftp-proxy and postfix for email including anti-virus and anti-spam. There's various other things like dante but, hey... users don't NEED those facilities, do they Anyway, good stuff and worth a look if you've got a spare machine and a few hours.
ive been thinking of installing and setting up smam assassin on my firewall to rid of some of the spam i get from my earthlink email address. Ill need to look into it .
It's pretty good. It works as a kind of filter to postfix, sendmail, qmail or even plain old procmail. Have a look at http://spamassassin.apache.org/ for details.
Ive heard good stuff about this firewall. It is its own distro, and the site looks informative, but rather slow. http://www.ipcop.org
I posted some initial info on the D-Link wireless "gaming" router/firewall I just purchased in my blog.
I'm installing a Watchguard Firebox X500 for a client and I would HIGHLY recommend against anyone buying one for their SMB.
Not likely to be happening any time soon but, as a matter of interest, what's the problem with it. Difficult to configure? Unreliable?
So first you have to take the server you want to control the FW and take it off-line so you can connect a cross-over and serial cable to the FW to run the inital conifg. And it steers you to a really basic config, so it's unlikely that you're going to be able to rollout your FW fully conifged, which blows. I have configured at least 200 firewalls, and I will have to say that this is one of the more un-ntuitive interfaces ever. Plus it does that thing, like the checkpoint paradigm, where you save the config locally and then bounce it up to the FW which doesn't work right. Conifg changes sometimes take, sometimes they don't. Big friggin prblem. The HTTP filtering is so restricitve I know the client is going to end up turning it off. It basically filters EVERYTHING. They couldn't get to business partner sites, which didn't have anything remotely objectionable on the sites. Not a very granular classification system for site filtering, either- No 'shopping', for example. At the very least, don't even think about using the webfiltering. Still don't have irc working right, of all things. Have staticly NATed SMTP and HTTP servers working fine . . . I'm not usually stumped by a firewall.
Yeah, see what you mean. Sounds fun... Not. I've maybe done a few hundred firewalls as well over the years but I've always installed software ones using a combination of packet filtering usually plus application level ones using two machines. It's amazing how little people are prepared to pay for 'knowledge'... but they're MORE than prepared to spend money on something in a shiny box. Bloody amazing. And try and get them to pay for the monitoring of logs. That's a joke as well. Ho-hum. Actually I'm in the process of becoming semi-retired at the moment. Seems to be becoming more and more of a young persons profession. In the old days you could just say to the customer, "This is what you're gonna get". Now, they've read in a magazine that this shiny new box does everything AND makes the tea as well. It becomes extremely difficult to convince them that it sort of does... but sort of doesn't as well. Also, that they THEY have a responsibility to keep their applications patched and do the other stuff like not writing their passwords onto a little sticker which they then stick onto the damned screen. Actually, don't get me started. Ah, you already did
Computer responsibility is a whole other issue best suited for another thread. Unfortunately computer vendors are trying to sell them like appliances. The last time I checked toasters can't get turned into spam spewing zombies or drones used in DOS attacks. Computers on the other hand...
Speaking of computers and appliances in a firewall thread, has anybody checked out the firewall in the ActiveArmor Secure Networking Engine availabile in the NVIDIA nForce4 SLI and nForce4 Ultra chipsets?