[Sunhelp] Important Ports on Solaris.
Jonathan Eisch
jeisch at boku.net
Fri Aug 20 15:26:50 CDT 1999
Thank you for the help. I wasn't aware of much of this before.
Doug McLaren wrote:
>
> On Fri, Aug 20, 1999 at 02:04:05PM -0500, Jonathan Eisch wrote:
>
> | I guess all I need are http, ftp, telnet. That wasn't to hard. Are
> | there any more that one would suggest opening up?
>
> Outbound or inbound?
>
> If you want to log into the box from the Internet, you'd open up ftp
> and telnet inbound. *Note that both are bad ideas, you're much better
> off with ssh.*
>
> Also note that ftp uses more than just one port. In fact, it uses
> ports that are basically random above 1024. If it's in PASV mode,
> these connections go in the same direction as the original ftp
> request. If it's in classic mode, they go in the opposite direction.
>
> Ultimately, you're making a choice between security and functionality.
> You can set up a firewall that blocks most things and doesn't break
> much, but to get more security you're going to start breaking things.
>
> Personally, I like to not break things. So I allow all outbound TCP
> connections (except for a few, like 6000/tcp, just to save me from
> accidents) and block all inbound TCP connections < 1024 except ssh and
> smtp. For UDP, I allow all packets outbound, but block inbound traffic
> to ports under 1024 unless it's to port 53 (DNS).
>
> I also block inbound 6000/tcp, 6001/tcp (X) 2049/tcp and 2049/udp
> (nfs).
>
> I also block TCP traffic to and from doubleclick.net's address and a
> few other sources of banner ads, filtering out many banner ads. Quite
> nice :)
>
> I probably forgot a few things, but if you can do something like this
> it'll make a nice start.
>
> --
> Doug McLaren, dougmc at frenzy.com
>
> _______________________________________________
> SunHELP maillist - SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
More information about the SunHELP
mailing list