Firewall woes - ports to be used

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Thu Dec 11 17:43:21 GMT 2003


On Thursday 11 December 2003 5:00 pm, Plant, Dean wrote:

> The information from the Spamassassin docs (below) show two rules, is only
> the outbound rule required?

Depends whether your firewall is stateful or not (ie: whether it can allow
"reply packets" without needing to be told explicitly what those are going to
be).

In the Linux world, if you're using the old ipchains, you need two rules per
service, one for the outbound requests, and one for the inbound replies.   If
you're using the new iptables, you need one rule for the outbound request,
and a single generic rule allowing reply packets (in response to anything
going out of the firewall), which is not specific to DCC, Razor, Pyzor, or
whatever.

Stateful (iptables) is more secure, because it does not allow packets in from
remote servers to high ports on local machines unless they are replies to
something you were happy to allow out in the first place.

Stateless (ipchains) will allow external systems more opportunity to port scan
your network, and possibly even access some services, depending on what port
numbers you're running them on (eg Squid on 3128 falls into the high range).

Stateful is also simpler, because you need N+1 rules to support N services.
Stateless requires 2N rules.

If you want more detail on this I can recommend the netfilter mailing list -
about as busy as this one and almost as friendly :)

Antony.

> Also note that DCC requires that you open your firewall for DCC reply
> packets on UDP port 6277.   DCC uses UDP packets when replying, which
> are blocked by most firewalls by default. As a result, it requires
> that you open your firewall for DCC reply packets on UDP port 6277.
> Here's sample firewall rules required:
>
>       allow udp local gt 1023 to remote 6277
>       allow udp remote 6277 to local gt 1023
>
>
> -----Original Message-----
> From: Antony Stone [mailto:Antony at SOFT-SOLUTIONS.CO.UK]
> Sent: 11 December 2003 12:30
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Firewall woes - ports to be used
>
> On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote:
> > FYI - the Razor ports are only required outbound.
>
> I should hope that is true of all of them!?
>
> (Assuming your firewall allows in reply packets - but none of the services
> should be initiated from outside....)
>
> Antony.
>
> > -----Original Message-----
> > From: Randal, Phil [mailto:prandal at HEREFORDSHIRE.GOV.UK]
> > Sent: 11 December 2003 11:43
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Firewall woes - ports to be used
> >
> >
> > Razor:  7/tcp and 2703/tcp
> >
> > DCC: 6277/udp
> >
> > pyzor: 24441/udp
> >
> > Cheers,
> >
> > Phil
> >
> > ---------------------------------------------
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > Behalf Of Michele Neylon :: Blacknight Solutions
> > > Sent: 11 December 2003 11:27
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Firewall woes - ports to be used
> > >
> > >
> > > I can't see any reference to it in the FAQ :(
> > >  Help!!
> > >
> > > Mr. Michele Neylon
> > > Blacknight Internet Solutions Ltd
> > > http://www.blacknightsolutions.ie/
> > > http://www.search.ie/
> > > Tel. + 353 (0)59 9137101
> > > Lowest price domains in Ireland
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > > Behalf Of Spicer, Kevin
> > > > Sent: 11 December 2003 11:20
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Re: Firewall woes - ports to be used
> > > >
> > > > Michele Neylon :: Blacknight Solutions wrote:
> > > > > After installing a new firewall we seem to have run into
> > >
> > > a number of
> > >
> > > > > issues regarding required ports.
> > > > > Can anybody help/advise?
> > > > > We are using:
> > > > > MailScanner
> > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course)
> > > >
> > > > I _think_ this is in the FAQ

--
Perfection in design is achieved not when there is nothing left to add, but
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

                                                     Please reply to the list;
                                                           please don't CC me.



More information about the MailScanner mailing list