[ previous ] [ next ] [ threads ]
 
 From:  Peter <peter at iwebsl dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: Fwd: [m0n0wall] newbie question - about ports
 Date:  Wed, 21 Sep 2005 09:55:07 -0400
Point taken about the subject. 

My ports are minimal but I would like them to be as tight as possible. I have tried a few of combo's
like external DNS 53 to internal DNS to 53 and I'm not getting errors I'm assuming that ssl is the
same range as browsers 1024 to 65535. I'll test the rest and see what happens.

Thanks,
Peter

> I'd like to tighten up some of my basic rules. I'm aware that when
> setting up a rule for http port 80 that you must allow an external
> range of 1024 - 65535 to 80 but what about some of the other
> services?
> Is DNS 53 to 53, smtp 25 to 25, pop 110 to 110 or do they have
> external ranges as well? Is there a master list that outlines all
> the
> protocols?
>
> TCP/UDP          *       *       master          53 (DNS)
> NAT DNS server
> TCP                     *       *       server  443 (HTTPS)     NAT
> ssl server
> TCP                     *       *       master  25 (SMTP)       NAT
> smtp server
> TCP                     *       *       master  110 (POP3)      NAT
> pop3 server
>

http://www.stengel.net/tcpports.htm
> well-known ports. This is just one location on the net.
>
>>> I'm aware that when setting up a rule for http port 80 that you
>>> must allow an external range of 1024 - 65535 to 80 but what
>>> about some of the other services?
>>>
> This is correct if the traffic is inbound. Opposite for outbound.
>
> If you have problems with a particular service...always check the
> diagnostic > logs > firewall. This will tell you what's being
> blocked,
> from and to, and port.
>
> The protocols you've listed are minimal. If you doing any gaming or
> VOIP, IM..etc, these are additional ports to consider.
>
> One other thing, no disrespect intended, "newbie question" is a
> terrible subject line. Please try to use a more descriptive subject.
> It will ultimately help down the road. I have found this list server
> and many of it's participant's to be extrememly helpful, with
> relatively few "flamers".
>
> Good Luck,
>
> - Don