Dave Feustel wrote:
PF works GREAT!
Here is a list of ports that have had data sent to them today.
The 2nd number is the number of packets dropped.
Is there anything in the list that I should pay particular attention to?
Thanks,
Dave Feustel
23 104 telnet 23/udp Telnet
31 3 msg-auth 31/udp MSG Authentication
34 4 # 34/udp Unassigned
35 3 35/udp any private printer server
50 8 re-mail-ck 50/udp Remote Mail Checking Protocol
290 12
296 12
349 18 mftp 349/udp mftp
376 3 nip 376/udp Amiga Envoy Network Inquiry Proto
377 8 tnETOS 377/udp NEC Corporation
380 1 is99s 380/udp TIA/EIA/IS-99 modem server
487 5 saft 487/udp saft Simple Asynchronous File Transfer
490 2 micom-pfs 490/udp micom-pfs
495 2 intecourier 495/udp intecourier
496 2 pim-rp-disc 496/udp PIM-RP-DISC
525 5 timed 525/udp timeserver
900 1 omginitialrefs 900/udp OMG Initial Refs
906 8
921 5
Hi Dave,
Excuse me to asked it like this, but shouldn't you know the service you
are running on your box and as such allow traffic to these ports instead
of asking, here is the ports that receive traffic and what should I do
about them?
The first thing in trying to protect your server(s) with PF is actually
know what service you run, or want to run on that box, then you allow
traffic to these ports and only these ports...
May be I am out of line, but look to me that you need to take a hard
look at what you want to run on that box and block the rest and in the
end so what if someone scan all the 65K ports on your box and you see
them in your logs, if they are block properly and you run nothing on
them, why even care if someone test them?
If I was paranoid, I would actually look at the traffic I allow in, in
some sensitive ports if I care about it to see if something that I
should limit more on theme should be done. For the rest, why care, they
are block and that's the end of them!
If you want to be very paranoid, then no only block incoming ports, but
also all outgoing ports and only allow specific ports that you know
should be allow out. Reason for this would be that if for example your
box, if running php for example get compromise on the php side and then
try to connect to other web server and you know it is not support to be,
then by blocking connections going out to port 80 would reduce your rick
even more on that box and by doing so, will even reduce the risk of
compromise via php if connection out from your server is not allow to
port 80.
It is a bit harder to put in place, but again if you have security plan,
then you know what type of traffic you are suppose to have and the
excuse to say that my traffic is very complex, so blocking outgoing
traffic wouldn't stand as that's an excuse use many times simply because
one doesn't know their own requirements.
PF allow you amazing control and even limits as well on specific traffic
if you like that, so pushing it to the limits would be interesting, but
it is so flexible, that I would be surprise if you ever would reach it!
Anyway, block all, allow what you have service running on, block
outgoing if you like on thing that shouldn't be there, and sleep well!
The rest, who cares what someone try to access from your box if the
filter are well design!
So, you design them for what you run right!?
Have fun.
Daniel
