[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    Re: Blocking ports
From:       Jan Muenther <jan () radio ! hundert6 ! de>
Date:       2001-02-14 16:26:36
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> The Sygate Tech Quickscan said something about ideally having Blocked
> ports not just closed.

Very interesting expression. Basically, a TCP port can either be
open or closed, I'd say. I think what this tech might have wanted
to say was it's better to send back a RST flagged packet instead
of just sinking unwanted traffic in the network stack's nirvana.
This has nothing to do with how an application layer gateway like
the TIS fwtk works. 

 
> This may be of a Linux nature, but I'm new to this stuff.

It's not. It has to do with IP rather than with Linux or Unix or
whatever OS. 
 
> I built the firewall and compiled the software two years ago.  It has
> been running since then and I have not really touched it.

Ooops. I hope you did at least install the vendor's security
fixes for your OS.

> How do I block ports, and make our firewall secure?

You don't have to do that. Application level gateways like the
fwtk function with the use of proxies, which appear as open
services to the outside, but do a critical inspection of what
traffic they receive. Only if this is compliant with the protocol
of the relevant application, traffic is further processed. So, as
you see, for an application proxy it's fairly normal to have
'its' port open. 

It is, however, a good idea to use a packet filter
_additionally_, depending upon your needs and resources. 
 
> We would need SMTP, POP, HTTP, HTTPS or course.

Well, smap, plug-gw and http-gw should be able to work finely for
you. 

Cheers, Jan
-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther@radio.hundert6.de

[prev in list] [next in list] [prev in thread] [next in thread]