how-to block ads
|
|
Share Topic
 |
 |
|
 BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:1
 ·Frontier FiOS
·Verizon FiOS
| reply to bjf123
Re: Tiny to Kerio Rules Is your computer running as a DHCP server? If not you shouldn't allow local: udp 67 connections as then you are acting as the server.
I allow 8085, and 8086 for DSLR's tweak test. If I don't the results are not accurate. I could secure those two ports to the testing address, but they are also used for another DSLR test. I'm only worried about the higher port ranges, and in this config you will have to permit each ftp request by your browser. I prefer it this way instead of allow them access to higher ports for no reason.
I see your still working on some rules like your icmp, etc..
Your next step for some apps is making rules for certain addresses only.... Do those when the programs only communicate out to only one, or two addresses if you need to. However some programs are fine being allow to any address since they are hard-coded to certain addresses anyway. Its obvious that browsers need access to any address, but here is where its up to you to make those judgements.
--
"Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth." -Kahlil Gibran | |
 bjf123We Want... A ShrubberyPremium
join:2000-02-11
Hamilton, OH | said by BlitzenZeus:
Is your computer running as a DHCP server? If not you shouldn't allow local: udp 67 connections as then you are acting as the server.
I'm not running a DHCP server, that I know of. I just know that without the rules for ports 67 and 68, both local and remote, I lose my DSL connection after about 15 minutes. Does that make sense? quote:
Your next step for some apps is making rules for certain addresses only.... Do those when the programs only communicate out to only one, or two addresses if you need to. However some programs are fine being allow to any address since they are hard-coded to certain addresses anyway. Its obvious that browsers need access to any address, but here is where its up to you to make those judgements.
I've gone back through all my apps that connect out, deleted the rules, and tried to connect again. This time, in addition to specifying the remote port, I also specified the IP address. Most apps just seem to want one address. Some wanted multiple addresses, but usually within a range, like 123.456.789.0 to 123.456.789.255, so I put that range in the rule. What's the difference between using a range and a mask? For AOL and CompuServe (I know those are bad words around here!), I needed two rules each, as they seem to access multiple ranges that belong to AOL, according to the Whois lookup I did. One app, Quicken, needed to access multiple IPs as part of the downloading of my financial data from various banks and credit card companies. There, I ended up with an "any address" rule. Otherwise, I would have 6 to 10 rules, which I thought was overkill. Wouldn't you agree?
I haven't had a chance to get back to the ICMP rules. Had to take a break to go watch my Alma Mater (Xavier) win their conference basketball tournament!
--
Golf is a relatively simple game, played by reasonably intelligent people, stupidly. | |
|
