I would like to point at for a start, most of these Instant Messenger, ICQ and other services have settings that will work with firewalls. They will use defined ports that you can open in your firewall, but I agree with a Security Policy would have to be setup so that the questions of which of these services will be beneficial and allowed and which are just fun nick-nacks.
---- "Eric N. Valor" <[EMAIL PROTECTED]> wrote: > > I had a very similar problem when trying to help set up a SOHO as a > > favor. This person wanted good security, but also wanted to be able > to do > Internet phone stuff and the gamut of Instant Messenger crap. After > much > wrangling and explanation until I was blue in the face I finally got > them > to "understand" the rather marginal security stance and opened up whole > > blocks of UDP so they could have their services. > > Windows machines and the types of services folks like to run on them > are > typically the antithesis of good firewalling practices. Your question > goes > beyond the technical issue and into the esoteric and subjective realm > of > determining an acceptable security stance for your network. > > For what you've described, you'll need to determine on which range > of ports > these services listen (UDP/TCP/both?) and then arrange your IPChains/Tables > > rules accordingly, starting with the default DENY policy and then allowing > > in the ranges as desired. > > Again, be careful - all of the "fun" Net services care not a whit about > > security. > > At 08:49 AM 5/18/2001 +1000, Cassandra Ludwig wrote: > >I have an interesting little problem here. > > > >I want to as a default REJECT all packets from my firewall's external > >interface, and then allow in only certain packets. I have already > written > >rules to allow in the services I am running on the firewall (like > http, > >http-secure, smtp, imap, pop3, etc.), however it seems that I need > to add in > >a never-ending list of ports to allow the windows machines behind > the > >firewall full access to their response packets. My biggest concern > with > >that is that with some of them (ICQ for one) the ports are more often > than > >not dynamic... My real question here is, how would I go about allowing > the > >windows machine(s) behind the firewall to receive full responses from > the > >internet without returning the firewall back to it's previous default > state > >of ACCEPT. There are so many ports under 1024 that I want to block > off from > >external use, and I do not personally feel like blocking all 1010 > (or > >whatever) ports manually. > > > >Regards, > > Cassandra > > > > > > > > > >-- > >To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- > Eric N. Valor > Webmeister/Inetservices > Lutris Technologies > [EMAIL PROTECTED] > > - This Space Intentionally Left Blank - > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com
