Allow all "high UDP" or not ?
Allow all "high UDP" or not ?
am 17.11.2004 12:32:23 von kolokol_2004
Hi,
My firewall is McAfee Desktop Firewall.
It has a rule named : "Allow all high UDP" (local for 1024-65535 and
remote for 1204-65535). Please, what is this rule ? Is it safe to let
a so large range of UDP ports open ? I noticed that if I block all
high udp port(or delete this rule), the network/internet is still
working fine... so I do not understand what is for...
For better security settings, should I allow all "high UDP" or block
them ?
Thank you for help & comments...
Mordicus
Re: Allow all "high UDP" or not ?
am 17.11.2004 13:01:23 von lb
I forgot to say: this rule is set for high UPD in both direction (incoming
and outgoing).
Is it all right ? safe ?
Re: Allow all "high UDP" or not ?
am 17.11.2004 14:09:58 von dvader
>I forgot to say: this rule is set for high UPD in both direction (incoming
>and outgoing).
>Is it all right ? safe ?
Safe, or not, you need it. Services that use UPD, like DNS, will use high ports
to send the request and receive the response. Since UDP is a connectionless
protocol, your computer must be able to accept remotely initiated traffic.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com
Re: Allow all "high UDP" or not ?
am 17.11.2004 15:04:38 von lb
Thank very much you for this precious information. I won't touch it.
""Crash" Dummy" wrote in message
news:10pmjd6mcibj788@corp.supernews.com...
> >I forgot to say: this rule is set for high UPD in both direction
> >(incoming
>>and outgoing).
>
>>Is it all right ? safe ?
>
> Safe, or not, you need it. Services that use UPD, like DNS, will use high
> ports
> to send the request and receive the response. Since UDP is a
> connectionless
> protocol, your computer must be able to accept remotely initiated traffic.
> --
> Dave "Crash" Dummy - A weapon of mass destruction
> crash@gpick.com?subject=Techtalk (Do not alter!)
> http://lists.gpick.com
>
>
Re: Allow all "high UDP" or not ?
am 17.11.2004 16:27:12 von badnews
On Wed, 17 Nov 2004 08:09:58 -0500, "Crash" Dummy spoketh
>>I forgot to say: this rule is set for high UPD in both direction (incoming
>>and outgoing).
>
>>Is it all right ? safe ?
>
>Safe, or not, you need it. Services that use UPD, like DNS, will use high ports
>to send the request and receive the response. Since UDP is a connectionless
>protocol, your computer must be able to accept remotely initiated traffic.
Shouldn't there be an "allow DNS" rule that specifically allows anything
with a destination port 53/UDP and any source port? Simply allowing all
high-port UDP in both directions are way to open, and should not be
considered to be on the safe side.
I would recommend looking for the specific DNS rule, and if it's there,
disable the questionable rule to see how everything is working out
without it...
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Re: Allow all "high UDP" or not ?
am 17.11.2004 18:29:06 von Casey
In article <8ef00a56.0411170332.63bb32a4@posting.google.com>, kolokol_2004@speedpost.net says...
> Hi,
>
> My firewall is McAfee Desktop Firewall.
>
> It has a rule named : "Allow all high UDP" (local for 1024-65535 and
> remote for 1204-65535). Please, what is this rule ? Is it safe to let
> a so large range of UDP ports open ? I noticed that if I block all
> high udp port(or delete this rule), the network/internet is still
> working fine... so I do not understand what is for...
>
> For better security settings, should I allow all "high UDP" or block
> them ?
>
> Thank you for help & comments...
>
> Mordicus
>
I have always understood that the best "rule-of-thumb" for
creating firewall rules is "Block Everything That You Don't
Use". Consequently, on my Win98 box, my UDP rule is:
UDP, Block, local/remote ports 1-52, 54-65535, in/out.
I needed UDP port 53 for DNS.
Works just fine.
Casey
p.s. I also apply this philosopy to ICMP types and TCP ports.
Re: Allow all "high UDP" or not ?
am 17.11.2004 23:10:35 von lb
Thank you all for these comments. As I already said, I tried to delete this
rule (so closing the high UDP ports) and it worked (apparently). So as you
suggest, I am going to change the rule from "allow" to "block", and let a
special open port for UDP in/out on port 53 (I do not understand anything
about DNS but I'll will try it in your way). I want to set a safe system,
but also functional because I use many Internet apps, including (sometimes)
P2P (phone and file share) which, I know, is not recommended for safety...
> I would recommend looking for the specific DNS rule
I have already a "allow DNS" rule created by default : UPD (both in/out) -
local : any port - remote: DNS 53 - adress IP: any. Is this OK ? nothing to
change ?
> p.s. I also apply this philosopy to ICMP types and TCP ports.
Do you mean to CREATE two similar rules to BLOCK the 1024-65535 TCP and ICMP
ports in both direction (in/out) ?
Thank you again for help and advices !
Mordicus LB
Re: Allow all "high UDP" or not ?
am 18.11.2004 00:42:10 von lb
Well, after reading your recommandations, I realize that I may take risks
unnecessarily... since I do not understand well internet security related
subjects and since I am using a few preset rules that may lead to security
flaw.
Could someone agree to have a look at my firewall preset rules (I can mail
them in a jpg
attached file - I did not succeeded to send an attached file with my post on
this newsgroup) and tell me if there are rules I could (or should) delete
(or
change). I am a basic internet home user, directly connected
to the Internet by dial-up ADSL modem (without router), and using only
commun applications (web browser, mail, some P2P, etc.). My PC is running
WinXP SP2. I am trying to learn about security by myself but I am still far
from being an expert, and many terms (protocols name, etc.) are still
incomprehensible for me.
Thanl you again for your advices.
PS: by the way, when I block the "all ICMP" rule, I often lost my
internet connection (adsl modem have to reconnect). So I allow all ICMP. Is
it dangerous ?
Re: Allow all "high UDP" or not ?
am 18.11.2004 00:56:32 von Casey
In article <419bcbb5$0$2357$8fcfb975@news.wanadoo.fr>, anonymous@spamafraid.com says...
> Thank you all for these comments. As I already said, I tried to delete this
> rule (so closing the high UDP ports) and it worked (apparently). So as you
> suggest, I am going to change the rule from "allow" to "block", and let a
> special open port for UDP in/out on port 53 (I do not understand anything
> about DNS but I'll will try it in your way). I want to set a safe system,
> but also functional because I use many Internet apps, including (sometimes)
> P2P (phone and file share) which, I know, is not recommended for safety...
>
> > I would recommend looking for the specific DNS rule
>
> I have already a "allow DNS" rule created by default : UPD (both in/out) -
> local : any port - remote: DNS 53 - adress IP: any. Is this OK ? nothing to
> change ?
I am not familiar with your firewall rule structure.
You do need to connect to UDP remote port 53 for DNS.
>
> > p.s. I also apply this philosopy to ICMP types and TCP ports.
>
> Do you mean to CREATE two similar rules to BLOCK the 1024-65535 TCP and ICMP
> ports in both direction (in/out)
I can't recommend anything for ICMP. (Searches of the net reveal no consensus)
For TCP, I have two rules.
One to Block, TCP, Remote Ports, in/out, all hosts
(except ports 13,20,21,25,37,43,80,110,119,443,8080,11371)
Second one to Block, TCP, Local Ports, in/out, all hosts
(except ports 1024 to 5000)
These listed as exceptions are required by my applications.
>
> Thank you again for help and advices !
>
> Mordicus LB
>
>
Re: Allow all "high UDP" or not ?
am 18.11.2004 01:48:13 von badnews
On Thu, 18 Nov 2004 00:42:10 +0100, LB spoketh
>Well, after reading your recommandations, I realize that I may take risks
>unnecessarily... since I do not understand well internet security related
>subjects and since I am using a few preset rules that may lead to security
>flaw.
>
>Could someone agree to have a look at my firewall preset rules (I can mail
>them in a jpg
>attached file - I did not succeeded to send an attached file with my post on
>this newsgroup) and tell me if there are rules I could (or should) delete
>(or
>change). I am a basic internet home user, directly connected
>to the Internet by dial-up ADSL modem (without router), and using only
>commun applications (web browser, mail, some P2P, etc.). My PC is running
>WinXP SP2. I am trying to learn about security by myself but I am still far
>from being an expert, and many terms (protocols name, etc.) are still
>incomprehensible for me.
>
>Thanl you again for your advices.
>PS: by the way, when I block the "all ICMP" rule, I often lost my
>internet connection (adsl modem have to reconnect). So I allow all ICMP. Is
>it dangerous ?
>
Everyone's needs are a little different, but for the regular guy who
only browses the web and sends & receives e-mail, the following basic
should suffice:
1) There should be nothing allowed inbound.
2) There should be nothing allowed outbound.
3) Allow only outbound the few things you need, which are (usually)
port 80/tcp and 443/tcp for web browsing,
port 53/udp for DNS,
port 25/tcp to send e-mail,
port 110/tcp to collect e-mail,
port 20/tcp and 21/tcp for ftp,
port 119/tcp for usenet, and
port 123/udp for ntp (setting the clock on your computer).
ICMP has been a disputed topic. Some say to block it all as any
responses to ICMP would ruin your computers "stealthyness". However,
blocking certain ICMP messages may cause other problems, such as the
inability to get an IP address...
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Re: Allow all "high UDP" or not ?
am 18.11.2004 07:00:27 von lb
Really a great thank to you both for these info. I sent an email to Lars
Hansen.
Re: Allow all "high UDP" or not ?
am 18.11.2004 07:22:26 von lb
I could not send any mails to you, Lars Hansen, your address begining with
"news" not appear to be working. I've tried your "webmaster" email from your
site and it is not working too. Any working address ? (mine is:
kolokol_2004@funspeedpost.net // remove the 3 letters "fun")
Re: Allow all "high UDP" or not ?
am 18.11.2004 12:12:02 von badnews
On Thu, 18 Nov 2004 07:22:26 +0100, LB spoketh
>I could not send any mails to you, Lars Hansen, your address begining with
>"news" not appear to be working. I've tried your "webmaster" email from your
>site and it is not working too. Any working address ? (mine is:
>kolokol_2004@funspeedpost.net // remove the 3 letters "fun")
>
My e-mail is working just fine. I have an aggressive spam filter, and
that might be the reason why. Did the rejection message say anything
specific??
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Re: Allow all "high UDP" or not ?
am 18.11.2004 13:12:40 von lb
> My e-mail is working just fine. I have an aggressive spam filter, and
> that might be the reason why. Did the rejection message say anything
> specific??
Outlook express gave me an error message and could not send the mail. I
forgot the message content. If you want I can try again to send you the mail
to your "news" address and copy the message
I sent the message again (replying your mail), from an online mailbox, and
apparently it worked.
For testing purpose, I am trying to send you again the message with the
attached file (200ko) from Outlook express (to your news)
Re: Allow all "high UDP" or not ?
am 18.11.2004 13:18:55 von lb
This time the message is gone... may be the error was caused by my firewall
setting (I was testing different settings for more security and may have
done mistakes).
Re: Allow all "high UDP" or not ?
am 19.11.2004 00:00:30 von Casey
>
>
> Everyone's needs are a little different, but for the regular guy who
> only browses the web and sends & receives e-mail, the following basic
> should suffice:
>
> 1) There should be nothing allowed inbound.
> 2) There should be nothing allowed outbound.
> 3) Allow only outbound the few things you need, which are (usually)
> port 80/tcp and 443/tcp for web browsing,
> port 53/udp for DNS,
> port 25/tcp to send e-mail,
> port 110/tcp to collect e-mail,
> port 20/tcp and 21/tcp for ftp,
> port 119/tcp for usenet, and
> port 123/udp for ntp (setting the clock on your computer).
Hi Lars,
Have been using Sygate Firewall for 4-yrs. The Adv. rules setup
by default allows all protocols/ports. Consequently all rules
I created were based on blocking all I didn't want. After reading
your post, I got to thinking about the benefits of using a mix of
allow and block rules--it being easier/shorter to type in the
few things you want to allow than typing the long list of blocks
Example being tested: (1)Allow TCP, list R/L ports, outbound.
(2) Block TCP, all ports R/L, in/out. (rule 1 has priority and rule 2
must always follow rule 1). I have been browsing and exercising a
lot of my applications and this new approach seems to work well.
When I get through with my rules overhaul, I will have about half
as many rules and I think it will offer more security.
Thanks for the heads up.
Casey
Re: Allow all "high UDP" or not ?
am 19.11.2004 06:35:32 von Don Kelloway
"Lars M. Hansen" wrote in message
news:g7rnp0t34onqjfencarqldpeb3kolutv9d@4ax.com...
> On Thu, 18 Nov 2004 00:42:10 +0100, LB spoketh
>
>>Well, after reading your recommandations, I realize that I may take risks
>>unnecessarily... since I do not understand well internet security related
>>subjects and since I am using a few preset rules that may lead to security
>>flaw.
>>
>>Could someone agree to have a look at my firewall preset rules (I can mail
>>them in a jpg
>>attached file - I did not succeeded to send an attached file with my post
>>on
>>this newsgroup) and tell me if there are rules I could (or should) delete
>>(or
>>change). I am a basic internet home user, directly connected
>>to the Internet by dial-up ADSL modem (without router), and using only
>>commun applications (web browser, mail, some P2P, etc.). My PC is running
>>WinXP SP2. I am trying to learn about security by myself but I am still
>>far
>>from being an expert, and many terms (protocols name, etc.) are still
>>incomprehensible for me.
>>
>>Thanl you again for your advices.
>>PS: by the way, when I block the "all ICMP" rule, I often lost my
>>internet connection (adsl modem have to reconnect). So I allow all ICMP.
>>Is
>>it dangerous ?
>>
>
> Everyone's needs are a little different, but for the regular guy who
> only browses the web and sends & receives e-mail, the following basic
> should suffice:
>
> 1) There should be nothing allowed inbound.
> 2) There should be nothing allowed outbound.
> 3) Allow only outbound the few things you need, which are (usually)
> port 80/tcp and 443/tcp for web browsing,
> port 53/udp for DNS,
> port 25/tcp to send e-mail,
> port 110/tcp to collect e-mail,
> port 20/tcp and 21/tcp for ftp,
> port 119/tcp for usenet, and
> port 123/udp for ntp (setting the clock on your computer).
>
> ICMP has been a disputed topic. Some say to block it all as any
> responses to ICMP would ruin your computers "stealthyness". However,
> blocking certain ICMP messages may cause other problems, such as the
> inability to get an IP address...
>
Lars reply is on the money, but I'd like to add to the blocking of ICMP.
Years ago Windows 95 and early versions of Windows 98 were susceptible to a
Denial of Service if it received large ICMP packets involved within PINGing.
Along with the fact that ICMP can be used to 'map' the systems within a LAN,
determine which ports were open/closed, etc. many persons simply chose to
block ICMP outright.
Unfortunately ICMP is used for many things. One of the most useful types is
Type 11 which is to negotiate the size of the packets (MTU) passed in
between so as to obtain the best speed possible. When the decision is made
to block ICMP be aware that you may be causing more harm than good. If it's
possible consider blocking ICMP Type 3 and Type 8 consider doing so.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".