Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, September 30, 2008

Knowledge: Firewalls (2)

Firewall Moderator
January 1st, 2007

Firewall Questions for beginners
This is just a follow up post to explain some of the connections that a firewall will try to make (for the services/ internet connections mentioned, and rules that can be put in place.)
Originally Posted by Paranoid2000
If you are running Windows XP, the following applies:
Allow access for DNS and DHCP protocols in order to connect to the Internet (required).
Allow access for NTP (to, for clock synchronisation (optional);
Allow access for HTTP, HTTPS (to * to access online Windows Help (optional).

Dhcp client
Service Name: Dhcp
Process Name: svchost.exe -k netsvcs
Microsoft Service Description: Manages network configuration by registering and updating IP addresses and DNS names
(This is how your computer gets a Dynamic IP address so you can connect to the internet. If Internet Connection Sharing is enabled, you need DHCP Client. Also required for most DSL/Cable connections.)
UDP Ports 67:68
Allow UDP Local port 68 Remote port 67

DNS Client

Service Name: DNS
Process Name: svchost.exe -k NetworkService
Microsoft Service Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
(With this service enabled, svchost will perform all the DNS lookups, if disabled, then any program that requires this service will perform this itself.)
UDP Port 53
Allow UDP Remote port 53

Windows Time Service
Service Name: W32Time
Process Name: svchost.exe -k Netsvcs
Microsoft Service Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
(If you like to synchronize your PC clock to a time server, this is one way to go)

UDP Port 123
Allow UDP Remote port 123 (

Help and Support Service
Service Name: helpsvc
Process Name: svchost.exe
Microsoft Service Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
(some like this service, and its ability to connect out to microsoft for help, but please note, this does not need to connect to the internet to work correctly, and is optional)
TCP outbound, Ports 80:443
Allow TCP (outbound connection): Local ports 1024-4999: Remote Ports 80:443
Originally Posted by Paranoid2000
Block access if any is requested for the RPC protocol to any address (a good indication of a compromised system) and for SSDP/UPnP (Universal Plug and Play) unless you are sure that you need it.
Block access for any other incoming traffic (known as Server access in ZoneAlarm or Sygate) - this is to prevent Windows Messenger spam which targets svchost.

Remote Procedure Call (RPC) Locator Service
Service Name: RpcLocator
Process Name: locator.exe
Microsoft Service Description: Manages the RPC name service database.
(When searching for RPC Services on the network a Windows RPC client will connect to the domain controller over TCP port 139/445 (the SMB ports) and search for services/servers through the "locator" named pipe. The need for this on an home PC I have yet to find, as mentioned, best to block this.)

SSDP Discovery Service (UPnP)
Service Name: SSDPSRV
Process Name: svchost.exe -k LocalService
Microsoft Service Description: Enables discovery of UPnP devices on your home network.
(This is NOT the Plug`n`play as you may at first think, this is used for finding external devices. Example is a Router which can be UPnP, applications can, by using UPnP open inbound ports (port forward), this was possibly a good idea for ease of use, but can also be used by Trojans etc)

[Signs of SSDP/UPnP activity: svchost will attempt to send UDP out to remote IP remote port 1900 and will attempt to listen on local port 1900 (as well as listen on localhost(]
Originally Posted by Paranoid2000
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Opera\opera.exe
Allow access for FTP, HTTP, HTTPS protocols to be able to view webpages and download files (apply to whichever browsers you use)
Allow access for POP3, IMAP, SMTP protocols to be able to read and send emails for Opera if using its M2 email client;

HTTP (HyperText Transfer Protocol)
This is the basic connection made by your browser (http(remote port 80)) when connecting to the internet. There is some confusion at times due to the way the PC uses Local posts, as the PC will use local ports somewhere between 1024-5000 when connecting out, so a typical firewall rule for HTTP could be:
Allow outbound TCP local ports 1024-5000 remote port 80

This is basically the same as HTTP but uses encryption on connection, and connects to remote port 443.
Once again the local ports used can be between 1024-5000, so a typical firewall rule for HTTPS could be:
Allow outbound TCP local ports 1024-5000 remote port 443

FTP (File Transfer Protocol)
This is a commonly used protocol for exchanging files over any network, to connect out this protocol will connect to remote port 21.
Allow outbound TCP local ports 1024-5000 remote port 21.
FTP uses 2 ways of connection, one known as "Active FTP" and one as "Passive FTP", I will not go into a full explanation of this at this time, I just feel that "a need to know" that when connecting via FTP other remote ports can be asked for, with the dreaded popup from the firewall, or if the firewall as a "block all rule" at the end of the ruleset, a "The connection was reset" page.
So at this time I will just say, that, when an FTP connection is made, some firewalls will allow these other ports to be used, but some will require an extra rule for the "Passive" connection.
Possible extra rule:
Allow outbound TCP local ports 1024-65535 remote ports 1024-65535

POP3 (Post Office Protocol 3)
This is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into most popular e-mail products, such as Eudora and Outlook Express.
Allow outbound TCP local ports 1024-5000 remote port 110.

IMAP (Interactive Mail Access Protocol)
This is another way that e-mails are collected, but as more advanced options for access/retrieval.
(a more detailed explanation will be given later).
Allow outbound TCP local ports 1024-5000 remote port 143.

SMTP (Simple Mail Transfer Protocol)
This is a protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another; the messages can then be retrieved with an e-mail client using either POP or IMAP. In addition, SMTP is generally used to send messages from a mail client to a mail server. This is why you need to specify both the POP or IMAP server and the SMTP server when you configure your e-mail application.
Allow outbound TCP local ports 1024-5000 remote port 25.

No comments: