bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
 ·SureWest Internet
2 edits | lockdown LAN to WAN traffic
Thought someone may find this interesting. Here are my rules for locking down LAN to WAN traffic.
*** LAN to WAN Firewall rules ***
Default action: Block, Log
Individual rules to allow outbound access for these applications:
- Web access: tcp80, tcp443
- Email access: tcp110 (pop3), tcp995 (pop3s), tcp143(imap), tcp993 (imaps), tcp25 (smtp), tcp465 (stmps)
- TIVO webcontrol & program guide updates: tcp8080
- Secure shell: tcp22
- ftp downloads: tcp20, tcp21
- Windows Remote Desktop: tcp3389
- LAN dns cache: tcp/udp53
- LAN ntp server: tcp/udp123
- Gentoo Linux package updates: tcp873 (rsync client)
- OpenBSD/FreeBSD security updates: tcp2401 (anonymous cvs) |
|
netspazz
join:2003-04-20
Mesa, AZ
1 edit | Thanks for the info. It's funny you posted this, since I has planning on asking if anyone does setup rules for lan-wan traffic. I see the default is to allow everything out onto the network. I was wondering what kind of gotchas you can run into by locking it down. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| Two gotchas:
1. Forget to add a LAN-WAN firewall rule. When an application mysteriously stops working, immediately check Zywall logs and add a new rule.
2. Possible need to adjust both firewall and applications. For example, accessing ICQ using GAIM under WinXP/Linux stopped working even after creating a simple outbound traffic rule. Haven't found a solution yet since I don't use ICQ often. A quick google search indicates Licq/Kopete work better behind firewalls. Also saw info indicating that workarounds involve setting application parameters and then configuring port triggering. |
|
MrYogi
join:2003-03-28
Reston, VA | reply to bbarrera
excellent.
thank you very much!
Do you what ports need to be opened to allow aol instant msgr, yahoo msgr, MSN, trillian, real player, media player, etc.,?
thanks again |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | Just block by default, start 1 app, check logs, allow that port (service), and try running the 1 app again. |
|
StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Austin, TX
| reply to bbarrera
By coincidence I created a bunch of LAN-WAN rules yesterday to block everything except what I need. As bbarrera says just try an app and see what is being blocked in the logs then enable those ports.
FYI here's what I discovered for some apps.
MSN Messenger 6.1
TCP 1863
UDP 7001
UDP 9
RealPlayer 8
TCP 554
TCP 7070
--
Don't feed the trolls--it only makes them grow! |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
1 edit | Here's a good reason to not allow all outbound AOL traffic:
»www.mynetwatchman.com/kb/securit···/aolvpn/ |
|
vito
join:2001-11-28
Gilbertsville, PA
 ·Teliax VOIP
| reply to bbarrera
BB most be a one of those nice system admins. 
I am considered to be a pain in the you know what.  
I block every thing but 80,3389,ftp,telnet,8080,ssh,https.
all servers blocked from any internet access.
except servers Running DNS, they have a rule to allow traffic. and mail to only collect from our "DMZ"
No client can collect mail from servers outside of the network. If they need to collect mail from another source, it is added to our mail server to download it, scan for viruses and spam, then sent to the users work email.
--
Forget about it... |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| Hey vito, that is my small office config and also lock down certain ports by LAN IP address (e.g. DNS, ntp, TIVO). I'm almost ready to deploy fetchmail and LAN imap server and then email will be locked down too.
A couple of my clients are locked down even tighter than your policy. |
|
SwampKracker
@choiceone.net
| bbarrera, has that AOL hack actually been done or is it just academic? I have a client that was seemingly protected by a Cisco 160x router with the most basic of config. Yet, somehow the worst of all backdoor trojans would get onto one or two PC's. I even witnessed a Messenger service popup on a W2K Pro machine I rebuilt within 5 minutes of attaching to the network! There is an AOL user in that business always connecting with the TCP/IP client.
I was never able to locate the source of the hacking, just that it was definitely originating from the outside. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | Don't know if there is an exploit floating around for AOL security risk. Another security backdoor to investigate is telecommuters using VPN. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS | reply to bbarrera
Synack can you put this thread up in the favourites link, as "Securing your ZyWALL". Its to valuable to lose  |
|
vito
join:2001-11-28
Gilbertsville, PA
·Teliax VOIP
| reply to bbarrera
said by bbarrera  :
Here's a good reason to not allow all outbound AOL traffic:
»www.mynetwatchman.com/kb/securit···/aolvpn/
cool link!!
thanks BB
--
Forget about it... |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
 ·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
1 edit | reply to bbarrera
Re: lockdown LAN to WAN traffic
said by bbarrera :
Here's a good reason to not allow all outbound AOL traffic:
»www.mynetwatchman.com/kb/securit···/aolvpn/
Actually, the ZyWALLs provide some protection because a two-way communication cannot be established by the attacker. Since the response packets are routed directly, they will be blocked on their way out by the ZyWALL because they appear spoofed (Their source IP is the AOL IP, which is not expected to reside on the LAN).
I observed this effect years ago tracking down some weird spoof entries in the P312 and did a detailed analysis. I'll try to find my original post here, but it's probably too long ago.
EDIT: Found it (mid 2001): »Interesting Spoofing attack |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | Thanks for finding that as I recalled your analysis and unsuccessfully went looking for the post. |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| For those of us who have the outgoing rules still at the default setting (allow all outgoing traffic), NOW would be a good time to at least add a LAN-WAN policy blocking port 81 (need to create a custom service).
This will protect against W32/bagle-Q infections. See the Sophos site for details.
(There is also a related story here: »New Bagel Flavors ). |
|
ladino
join:2001-02-24
USA
2 edits | I tried adding a LAN-WAN filter for udp53 & tcp 80 & browsing stops all together
21.1.1
1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=53 N F N
2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80 N F N
11.5
Output Filter Sets:
protocol filters= 1
Logs show the following
Info Zywall msg="board 0 line 0 channel 0, call 31, C02 Call Terminated" note="CALL DETAIL RECORD"
15:34:39 Notice zywall msg="ppp:LCP Closing"
15:34:39 Notice Zywall msg="ppp:IPCP Closing"
15:34:40 Info Zywall msg="board 0 line 0 channel 0, call 32, C01 Outgoing Call dev=6 ch=0" note="CALL DETAIL RECORD"
15:34:40 Info Zywall msg="board 0 line 0 channel 0, call 32, C02 OutCall Connected 100000" note="CALL DETAIL RECORD"
15:34:40 Notice Zywall msg="ppp:LCP Starting"
15:34:40 Notice Zywall msg="ppp:LCP Opening"
15:34:43 Notice Zywall msg="ppp:PAP Opening"
15:34:43 Notice Zywall msg="ppp:IPCP Starting"
15:34:43 Notice Zywall msg="ppp:IPCP Opening"
15:38:11 Info Zywall msg="board 0 line 0 channel 0, call 32, C02 Call Terminated" note="CALL DETAIL RECORD"
15:38:11 Notice Zywall msg="ppp:LCP Closing"
15:38:11 Notice Zywall msg="ppp:IPCP Closing"
15:38:11 Info Zywall msg="board 0 line 0 channel 0, call 33, C01 Outgoing Call dev=6 ch=0" note="CALL DETAIL RECORD"
15:38:11 Info Zywall msg="board 0 line 0 channel 0, call 33, C02 OutCall Connected 100000" note="CALL DETAIL RECORD"
Am I putting in the filters wrong? |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| Yes, if you block outgoing port 80, you won't be able to browse anymore. This is the expected effect. Similarly, If you block UDP/53, DNS lookups won't work anymore.
You don't need any protocol filters, leave menu 21 as is.
This thread is about firewall policies as configured in the firewall menu (configurable via web browser).
The services listed by bbarrera are the ones that should be allowed, while the default policy for LAN-WAN is now block. |
|
jamesv
Premium
join:2003-03-08
Austin, TX
| reply to bbarrera
said by bbarrera :
- Email access: tcp110 (pop3), tcp995 (pop3s), tcp143(imap), tcp993 (imaps), tcp25 (smtp), tcp465 (stmps)
I think port 465 is obsolete: even Microsoft knows how to connect to port 25 and use the STARTTLS command now.
I think an MUA is supposed to use port 587 to submit outbound mail to an MTA but I don't know if this is really widely used yet. |
|
