I work from a default-deny stance. Usual things to then allow in would be 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if you have bind running), and various ICMP (echo-reply/request, source-quench, destination-unreachable, time-exceeded, and parameter-problem are good ones).
I deny and log pretty much everything else, although I do have special DENY rules for stuff like NetBIOS (137/138) so they don't hit the trap line at the end which logs everything not caught above, filling up my logs.
I believe the 1028-UDP port you're talking about is the syslogd talking to itself (you'll notice it's on the loopback address [127.0.0.1] and established to Port 514, which is the syslog port). If you've got an external address talking to your syslog port.. well... good luck.
At 12:57 PM 4/5/2001 -0700, Brandon High wrote:
Does anyone have a recommendation of ports that should be blocked (via ipchains/netfilter/etc) to make a system more secure? In light of the recent security holes, I did a netstat -an, then lsof -i for all ports that were listening and/or UDP. I put a filter in the way of everything that I didn't want externally visible, but UDP port 1028 shows nothing listening lsof. I blocked it out of principle, but does anyone know what it might be? -B -- Brandon High [EMAIL PROTECTED] We are Homer of Borg. Resistance is ... Ooo! Donuts! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
-- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -