A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

minimal set of outgoing ports



 
 
Thread Tools Display Modes
  #1  
Old June 21st 05, 10:08 PM posted to uk.telecom.broadband
Shez
external usenet poster
 
Posts: 5
Default minimal set of outgoing ports

I want to tighten up our office ADSL router's rules on outgoing traffic
to reduce the risk from malware. The question is, what ports are
essential for a basic office LAN web/email setup?

These are the outgoing ports it looks like I need:

smtp 25 tcp
pop3 110 tcp
ftp 20-21 tcp (for downloading only, not serving)
dns 53 tcp+udp
http 80 tcp
https 443 tcp
timeserver 123 udp

Have I missed anything? and are those ports correct? With ftp I wasn't
sure if I need 20 & 21 or just 21. We also have Windows Update and
Norton AV running, do these use port 80 for getting stuff or do they
have dedicated ports?

We have all incoming ports blocked at present, though I notice that my
personal firewall rules at home have the timeserver and ftp ports open
both in and out, I'm not sure if that's right or not - I seem to recall
that ftp uses 21 out and 20 in.

--
__________________________________________________ ____

If only one could get that wonderful feeling of
accomplishment without having to accomplish anything.
__________________________________________________ ____
Take a break at the Last Stop Cafe: http://www.xerez.demon.co.uk/
Reply-to address for email: mailreply AT xerez.demon.co.uk
  #2  
Old June 21st 05, 11:02 PM posted to uk.telecom.broadband
Bob Eager
external usenet poster
 
Posts: 2,472
Default minimal set of outgoing ports

On Tue, 21 Jun 2005 21:08:51 UTC, Shez
wrote:

I want to tighten up our office ADSL router's rules on outgoing traffic
to reduce the risk from malware. The question is, what ports are
essential for a basic office LAN web/email setup?

These are the outgoing ports it looks like I need:

smtp 25 tcp
pop3 110 tcp
ftp 20-21 tcp (for downloading only, not serving)
dns 53 tcp+udp
http 80 tcp
https 443 tcp
timeserver 123 udp

Have I missed anything? and are those ports correct? With ftp I wasn't
sure if I need 20 & 21 or just 21.


FTP isn't quite as simple as that, though. And as for other
ports..you'll just have to see what works and what doesn't...then
perhaps open other ports. And, if you have the option, not allow packets
without TCP ACK set in many cases.

I'd recommend getting a good book - e.g. the O'Reilly firewall book (by
Zwicky et. al.) as it gives lots of useful help.
--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]
  #3  
Old June 22nd 05, 12:55 AM posted to uk.telecom.broadband
Chip
external usenet poster
 
Posts: 114
Default minimal set of outgoing ports

On Tue, 21 Jun 2005 22:08:51 +0100,it is alleged that Shez
spake thusly in
uk.telecom.broadband:

[snip]
We also have Windows Update and
Norton AV running, do these use port 80 for getting stuff or do they
have dedicated ports?


Just ran Windows Update with the packet monitor running, all the
connections seemed to be normal http on port 80 or https on port 443,
during the scanning, downloading and installing phases. I don't have
any Symantec products that need liveupdate, so can't help on that one.

--
In those days spirits were brave, the stakes were high, men were REAL men,
women were REAL women, and small furry creatures from Alpha Centauri were
REAL small furry creatures from Alpha Centauri.
- The Hitchhiker's Guide to the Galaxy
  #4  
Old June 22nd 05, 11:26 AM posted to uk.telecom.broadband
Spack
external usenet poster
 
Posts: 104
Default minimal set of outgoing ports

Shez wrote on Tue, 21 Jun 2005 22:08:51 +0100:

I want to tighten up our office ADSL router's rules on outgoing traffic
to reduce the risk from malware. The question is, what ports are
essential for a basic office LAN web/email setup?

These are the outgoing ports it looks like I need:

smtp 25 tcp
pop3 110 tcp


If you can manage it, restrict these to allow access only to the SMTP and
POP3 servers outside of your LAN that you need access to. This will prevent
downloading mail from other mail providers (eg. from a non-virus checked
mail account), and prevent malware that does get on your systems from
sending out using it's own SMTP engine. Also check with your mail provider -
many now require mail that is being sent to non-local accounts (ie outside
your own domain) to be sent to port 587 with authenticated SMTP, if that's
the case then don't open 25 out all, just 587.

ftp 20-21 tcp (for downloading only, not serving)


You might need more than that, depending on whether the ftp is passive or
active. 20 & 21 are the standards ports, but ports over 1024 incoming are
required if the ftp server isn't able to handle passive connections and your
router doesn't understand the ftp protocol to automatically open the
appropriate ports using stateful inspection as needed.

dns 53 tcp+udp


tcp is only normally needed for zone transfers of large amounts of data.
Normal DNS lookups will rarely, if at all, use tcp.

http 80 tcp
https 443 tcp



timeserver 123 udp


Have you considered setting up only one machine in your network to sync
with a timeserver, and have all other machines sync with that (either using
an ntp broadcast from the server with ntp clients running on each machine,
or if it's a Windows domain server you only need to update the time on that
machine for Windows clients to be automatically updated).

Have I missed anything? and are those ports correct? With ftp I wasn't
sure if I need 20 & 21 or just 21. We also have Windows Update and
Norton AV running, do these use port 80 for getting stuff or do they
have dedicated ports?


As already mentioned, 80 and 443.

We have all incoming ports blocked at present, though I notice that my
personal firewall rules at home have the timeserver and ftp ports open
both in and out, I'm not sure if that's right or not - I seem to recall
that ftp uses 21 out and 20 in.


Not quite - 21 is the command port, 20 is the data port for active ftp but
is the source port from the server. You should only need to open port 21 for
ftp.

Dan


  #5  
Old June 23rd 05, 12:04 AM posted to uk.telecom.broadband
Ian Stirling
external usenet poster
 
Posts: 807
Default minimal set of outgoing ports

Spack wrote:
Shez wrote on Tue, 21 Jun 2005 22:08:51 +0100:

I want to tighten up our office ADSL router's rules on outgoing traffic
to reduce the risk from malware. The question is, what ports are
essential for a basic office LAN web/email setup?

These are the outgoing ports it looks like I need:

smtp 25 tcp
pop3 110 tcp


If you can manage it, restrict these to allow access only to the SMTP and
POP3 servers outside of your LAN that you need access to. This will prevent
downloading mail from other mail providers (eg. from a non-virus checked
mail account), and prevent malware that does get on your systems from

snip
ftp 20-21 tcp (for downloading only, not serving)


You might need more than that, depending on whether the ftp is passive or
active. 20 & 21 are the standards ports, but ports over 1024 incoming are
required if the ftp server isn't able to handle passive connections and your
router doesn't understand the ftp protocol to automatically open the
appropriate ports using stateful inspection as needed.


I'm sure I saw a FTP proxy somewhere.
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tiscali throttling P2P ports? Bob Smith uk.telecom.broadband (UK broadband) 0 April 17th 05 09:29 AM
Ports Gareth not NLL or anybody else. uk.telecom.broadband (UK broadband) 1 November 30th 03 03:07 PM
More ports on my Dlink 604+ v-tech uk.telecom.broadband (UK broadband) 8 November 16th 03 07:08 PM
ports Glenn uk.telecom.broadband (UK broadband) 5 November 8th 03 01:24 PM
Slow outgoing mail through Eclipse? Richie uk.telecom.broadband (UK broadband) 0 September 30th 03 01:02 PM


All times are GMT +1. The time now is 11:07 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.