Re: Open port 1023-65535

Tue, 23 Apr 2002 18:03:12 -0700 

Nops, I am using NG and I must have to open upper ports other wise I am
unable to get emails on my mail server. I have tried to avoid opening  upper
ports but ....
Aqeel
----- Original Message -----
From: "Volker Tanger" <[EMAIL PROTECTED]>
To: "Fauzi Badron" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, April 22, 2002 11:57 PM
Subject: Re: Open port 1023-65535


> Greetings!
>
> Fauzi Badron wrote:
> >
> > Does suitable to open tcp port 1023 to 65535 for mail server at my
> > firewall?
>
> By definition a mail server only needs SMTP plus maybe POP or IMAP. But
> I guess you're talking about a Microsoft Exchange server? MSX uses
> Microsoft-RPCs (tcp/135 plus server-side-opened tcp/1024+) for data
> exchange.
>
> Two ways to handle this - best use both:
>
> - if you use CheckPoint's Firewall-1: there you have RPC filters for
>    MSX. Use them if you can.
>
> - set the RPC server port (i.e. the connection issued by the server) to
>    one fixed port. This way you only need to open one port in, not all
>    above 1024. See M$-KnowledgeBase articles Q155831 and Q148732 for
>    details. You may run into ressource problems with this if you have a
>    large number of clients, though.
>
> In either case make REALLY sure that your MSX server is bastioned
> against DoS attacks on the opened port. If possible, restrict the
> acccess to this port to a limited number of addresses.
>
> If you need to provide access for mobile users, try to find out the
> IP-range your dial-in provider is using and restrict limit to that. For
> this scenario personal VPNs would be a better solution though.
>
> Bye
> Volker
>
> --
>
> -------------------------------------------------------------------
> [EMAIL PROTECTED]                                 discon GmbH
> IT-Security Consulting                           Wrangelstrasse 100
> http://www.discon.de/                         10997 Berlin, Germany
> -------------------------------------------------------------------
> PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74  b94c c68e
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to