First of all, you can do whatever you would like with your configuration.
How tightly you lock down your network is strictly up to you and your
company's security policy. The same goes for how you lock it down. Most
companies choose to deny everything and only allow what they need becuase
its the most secure way to set up your firewall short of just unplugging
from the Internet.
Some organizations (mainly Universities) do choose the inverse of this and
allow everything while only blocking what they don't want to come in. From
a security standpoint though, this type of policy is easily thwarted or
bypassed. You can block telnet to port 23 if you would like but what about
telnet to port 25? Someone with devious intentions could do this to your
mail server and begin probing it for weaknesses. Now your FW is just an
expensive set of LED's in your wiring closet.
The point is that there are too many exploits out there to list in one email
and they work against the full spectrum of ports (port 0 to +65k). By only
blocking the services you can think of, you will be leaving yourself wide
open to holes you've never thought of or heard about.
Additionally, your question below is somewhat confusing. Why would you want
to block ports that you are using? Do you not want to use them anymore?
This is just my $.02 worth so take it for what its worth.
opiesan
>From: "Sebastian Sohn" <[EMAIL PROTECTED]>
>Reply-To: <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: firewalling rules
>Date: Wed, 28 Feb 2001 18:39:17 -0800
>
>I am new in firewall configuration. It seems that when I read articles on
>the web, people suggest that, one should setup the firewalling rules to
>deny
>everything and allow specifics?
>
>What is wrong with having a rules accept all but deny specifics.
>
>Could I not just block ports that I am using, like telnet 23 , ftp 21 , ssh
>22, NetBIOS 135-139 and such. Why should I block everything coming in?
>
>Thanks!
>
>
>-Sebastian
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
