> Eric, we use Tiny Firewall for this sort of requirement.
>
> http://www.tinysoftware.com/home/tiny2?la=EN
>
> Hth, I am sure Jochem will have some good recommendations on this also.
I'm not sure if they are good, I could use some peer review ;-)
My usual solution is to enable the built-in packetfilter and
don't run anything else. Open port 80 for HTTP and optionally 21
for FTP (active only), 443 for HTTPS, X for remote control
software and leave the rest closed. UDP is a bit more tricky, DNS
will fail because you are really using a client and the client
runs on an ephemeral port (the server runs on 53). You should be
able to get around this if you have a second NIC and your DNS
server is on the local subnet, or else I just leave it unfiltered
(it is filtered at the router here anyway.)
After that, follow the instructions in the Microsoft TCP/IP
whitepaper [1] to further harden your stack. There are also some
templates available from the NSA.
Overall I have not had any problems with such a configuration. It
is also a great way to connect unpatched systems during installation.
[1]http://www.microsoft.com/windows2000/techinfo/howitworks/communications/networkbasics/tcpip_implement.asp
Jochem
--
I don't get it
immigrants don't work
and steal our jobs
- Loesje
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
