4.15. Advice on Configuring a Firewall

The firewall-configuring task requires an individual approach and depends on the specific tasks the server is to solve. Nevertheless, a few recommendations can be given. These are the following:

Start by prohibiting everything for everyone. People acquire a taste for good things quickly, and once users become accustomed to some service, it will be difficult to wean them from it, even if it is not necessary to them.
If possible, all types of ICMP messages, especially ping , should be prohibited . I will return to the subject of the danger posed by network scanning using ICMP packets many times throughout the book.
Prohibit access to port 111. This port is used by portmapper , which is necessary for performing Remote Procedure Calls (RPCs) and receiving the results. The rpcinfo utility can be used to find out, which RPC services are running on your server. For example, execute the following command:
```
 rpcinfo -p localhost 
```

The result will look similar to the following:

 Program vers proto  port 100000    2   tcp    111  portmapper 100000    2   udp    111  portmapper 100024    1   udp  32768  status 100024    1   tcp  32768  status 391002    2   tcp  32769  sgi_fam

As you can see, quite a bit of information can be obtained with just one command; thus, port 111 must be closed.

To make controlling access to ports easier, divide the open resources into the following two categories:
- Those for public access, including visitors from the Internet.
- Those for use only within the network. For example, such services as FTP and Telnet are inherently dangerous because they can be used to upload files on the server and to execute commands. If these services are not necessary for Internet visitors, external connections to them should be explicitly prohibited.