[Sunhelp] Important Ports on Solaris.

Doug McLaren dougmc at frenzy.com
Fri Aug 20 14:25:35 CDT 1999


On Fri, Aug 20, 1999 at 02:04:05PM -0500, Jonathan Eisch wrote:

| I guess all I need are http, ftp, telnet.  That wasn't to hard.  Are
| there any more that one would suggest opening up?

Outbound or inbound?

If you want to log into the box from the Internet, you'd open up ftp
and telnet inbound.  *Note that both are bad ideas, you're much better
off with ssh.*

Also note that ftp uses more than just one port.  In fact, it uses
ports that are basically random above 1024.  If it's in PASV mode,
these connections go in the same direction as the original ftp
request.  If it's in classic mode, they go in the opposite direction.

Ultimately, you're making a choice between security and functionality.
You can set up a firewall that blocks most things and doesn't break
much, but to get more security you're going to start breaking things.

Personally, I like to not break things.  So I allow all outbound TCP
connections (except for a few, like 6000/tcp, just to save me from
accidents) and block all inbound TCP connections < 1024 except ssh and
smtp.  For UDP, I allow all packets outbound, but block inbound traffic
to ports under 1024 unless it's to port 53 (DNS).

I also block inbound 6000/tcp, 6001/tcp (X) 2049/tcp and 2049/udp
(nfs).

I also block TCP traffic to and from doubleclick.net's address and a
few other sources of banner ads, filtering out many banner ads.  Quite
nice :)

I probably forgot a few things, but if you can do something like this
it'll make a nice start.

-- 
Doug McLaren, dougmc at frenzy.com






More information about the SunHELP mailing list