[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] which port/services to enable under SmoothWall ?
- Subject: [ale] which port/services to enable under SmoothWall ?
- From: jknapka at kneuro.net (JK)
- Date: Sun, 21 Dec 2008 16:41:09 -0700
- In-reply-to: <[email protected]>
- References: <[email protected]>
Courtney Thomas wrote:
> Sorry for the previous confusion regarding SECURE internet browsing and
> email... as LAN clients.
> I would like to know..... what are the minimum ports/services are required
> to be open, maximizing security, while allowing said activities, i.e. which
> ones should be enabled ?
> Finally, how should this be implemented, under SmoothWall or otherwise ?
Usually the right thing is to simply allow any traffic initiated
from within your LAN, and deny any traffic originating outside
your LAN. And if I'm not mistaken, Smoothwall will do that in
its default configuration. It's all handled via firewall rules
on the Smoothwall box, and the question of which services are
running on machines on your LAN is immaterial, since anyone
outside your LAN can't see those machines anyway (since traffic
to them is blocked by the firewall).
One caveat to this "allow my outgoing stuff, deny everything
else" rule, is that if some machine on your LAN gets hijacked
by a botnet and starts spewing gazillions of spam emails all
over the 'net, your firewall won't catch that. The way that
could happen is (for example) you visit a website from a
Windows client inside your LAN, that site asks you to install
an ActiveX control, you allow that install, and the binary
that gets installed is a trojan. This falls into the "you
asked for it" category :-D The answer to that kind of thing
is to be careful in your network habits: have up-to-date
virus checking, disable website scripting by default (enabling
only for trusted sites), and so forth. This isn't the kind
of thing that allowing or blocking things at the "service"
level is going to help you with -- if you want web browsing,
your firewall has to allow you to connect to web servers
on TCP port 80, and once that's allowed, you're potentially
vulnerable to infections vectored via web services. Similarly
for emails. So additional measures are necessary.
I do not particularly want to go where the money is -
it usually does not smell nice there. -- A. Stepanov