| ||
The firewall-configuring task requires an individual approach and depends on the specific tasks the server is to solve. Nevertheless, a few recommendations can be given. These are the following:
Start by prohibiting everything for everyone. People acquire a taste for good things quickly, and once users become accustomed to some service, it will be difficult to wean them from it, even if it is not necessary to them.
If possible, all types of ICMP messages, especially ping , should be prohibited . I will return to the subject of the danger posed by network scanning using ICMP packets many times throughout the book.
Prohibit access to port 111. This port is used by portmapper , which is necessary for performing Remote Procedure Calls (RPCs) and receiving the results. The rpcinfo utility can be used to find out, which RPC services are running on your server. For example, execute the following command:
rpcinfo -p localhost
The result will look similar to the following:
Program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 32768 status 100024 1 tcp 32768 status 391002 2 tcp 32769 sgi_fam
As you can see, quite a bit of information can be obtained with just one command; thus, port 111 must be closed.
To make controlling access to ports easier, divide the open resources into the following two categories:
Those for public access, including visitors from the Internet.
Those for use only within the network. For example, such services as FTP and Telnet are inherently dangerous because they can be used to upload files on the server and to execute commands. If these services are not necessary for Internet visitors, external connections to them should be explicitly prohibited.