Subj : Port Blocking
To   : Peter Knapper
From : Stewart Buckingham
Date : Sat Apr 06 2002 07:42 am

Hi Peter,

>> As an end-user connecting to the internet via my local
>> isp, running W4, FP12, TCPIP 4.3, In-joy 2.3, Warpzilla
>> & Polarbar, am I at all vulnerable to attack from
>> hackers whilst I'm connected to the net?

>ANYTHING connected to the internet is vulnerable to attack. The real question
> guess is probably HOW vulnerable would you consider acceptable???

>> If so, what ports should I be blocking?

> In simplistic terms, the safest way to access the internet is to only permit
> INCOMING connections that are responses to REQUESTS YOU have sent out TO
>something, OR only permit INCOMING connections on a PORT that you have a KNOWN
> service operating.

>> How to do it?

> The issue probably comes down to how much do you wish to spend (in time and
> $$$) to make yourself feel "comfortable" with your security. To me, it comes

I have the time but I don't have the money :)

I have IBM's Firewall which comes with their MPTN6.0/TCPIP4.3. Setting it up 
was a cinch with Alex Taylor's Firewall.inf file but getting my head around the 
filters is making me reach for the tylenol. I also really wonder how much this 
slows down the IP traffic?

I have a freebee PortBlocker from Dink (no docs though it looks simple to 
setup/run)... no idea if it's any good or what it actually does.

Just possibly I could spring for In-joy's Firewall if I felt it would be useful 
to me. In-joy dialer is top quality and I have no doubt the firewall would be 
the same. Have seen only good comments about it also.

There are probably other free/shareware stuff I could look at too, if there 
were any recommendations.

>down to the different possible modes of operation, and here are the parameters
> I try and work with. I split things into 2 main categories, dial-up and
>Permanent connections, and then into different MODES of operation within those
> categories -
> 1. Dial-up connections such a Modem, ISDN, etc, are the most ppular for Home
> users, however some of the lower cost permanent items are gaining popularity
> now.
> 1.a. With a dial-up connection that I connect and disconnect MANUALLY under
> MY control, (IE: the modem is not in auto-answer mode and no calls are placed
>automatically by the S/W), then my main area of concern would be restricted to
> the OS I was using and the application S/W I was running that used the
>Internet. A Firewall may be desireable, but it is optional at this point. Here
> simple common sense can apply.

That's me :)

> 1.b. With a Dial-up connection that was automated (IE under machine control
> for call placement), then some sort of Firewall is HIGHLY desireable. In this
> case the Firewall would be configured to allow only sessions initiated BY MY
> END of the link, and I would even allow the Firewall component to be on the
> machine I was using.

This could also be me on occassions.

> NB: A Standalone Firewall is MUCH preferred over running a Firewall on the
> end-user machine. Because an End-User machine is alwaysbeingtinkered with by
> the user, and End-User machine based Firewall is just waiting for the user to
> do something that breaks the Firewall without the user being aware of it. A
> standalone Firewall is far less vulnerable to user error.

Unlikely I'll spring for a standalone firewall... presume you mean another 
network pc or a router here? Besides I like tinkering :)

> 2. With any type of permanent connection (DSL, Cable, Leased line, etc), then
>operating without a Firewall should be thought of as almost immediate "Death o
>the Internet". The hard part here is working out what type of Firewall to use,
> and how it should be configured. There are a couple of scenarios that I use
> here -
> 2.a. With a cable or DSL type connection that does NOT have a permanent IP
> assigned or does NOT have a DNS entry pointing at the connection (other than
>ISP assigned DNS entry for reverse lookups), then something similar to 2 above
> should be enough, except it SHOULD definately be a standalone Firewall,
> especially if the PC is left connected 24hrs/day.

I get a dynamic IP assigned every time I logon. Sometimes I use this when I'm 
tinkering with some servers (http, ftp , pop3) but usually it's only very 
temporary. I'd like a 24hr connection, so I could use some of that stuff, but 
the price is absolutely too outrageous here in Subic Bay, Philippines. So no 
chance I'll use this stuff I play with anytime soon. I don't mind tinkering 
with the firewall setup to cater for these vary rare instances.

> 2.b. As for 2.a above but with a DNS reference and/or static address,
> REGARDLESS of a configured SERVER on the DNS/Ip Address then a standalone
> Firewall is a MUST. Depending on the level of external AND internal access
> required to the server, a DMZ may be desireable.
> 2.c Permanent connection with full DNS references and full-time Servers,
> then a DMZ is definately desirable to retain your sanity.

That's not me at all.

>I have at various times run in modes 1.a, 1.b, 2.a at home as my needs changed
>At work we usually use 2.c with a DMZ every time, they are commercial ventures
>that need appropriate configurations. There are numerous options available for
>each mode, and of course I have certain preferences. You also need to be aware
> that not all Firewalls are equal. Some are like brick walls that expressley
> permit or deny traffic using HARD RULES as set by a human (a common term used
>by users here is "pinholing" a device to allow certain traffic through). Other
> Firewalls use what is known as "Stateful Inspection", in which the Firewall
> applies user based rulesets to decide which traffic is blocked, which is
> allowed, and which may be permitted under certain conditions. Stateful
> Firewalls also try to detect events such as "Denial of service" attacks, and
> apply decisons based on what it learns about such situations to limit the
> potential "damage", while still remaining operational for other "normal"
> traffic (if possible).

Any comments on the one's I've mentioned above? Any other suggestions?

> As an example for categories 2.a or even 2.b, there are a number of devices
> that fit this requirement quite nicely for most Home (or Small Businesss
>Office) use. EG, for an ADSL connection, something like a Cisco 827 ADSL Route
> with the Firewall S/W can provide the DSL capabilty, the Routing capability,
>NAT and the Firewalling capability, and offer other extras such as DHCP Server
> VPN, Voice over IP, etc, all within one box. Yes, it is not cheap, but if you
>can use all the features, then it is a pretty darn good option considering you
> do not have to have other H/W performing these tasks.

> From what yu have asked about, this is probably a bit more than you want, but
> at least it gives you an idea and starts you thinking in the right direction.

Yup, it did. Thanks. Started me too much thinking :)

> I hope you find this useful..............pk.

It was. Thanks.

Stu/2

--- BBBS/2 v4.00 MP
 * Origin: The Chili Channel * OS/2 - Java - Linux * chilies.com * (6:751/12)

.