minimal set of outgoing ports

I want to tighten up our office ADSL router's rules on outgoing traffic
to reduce the risk from malware. The question is, what ports are
essential for a basic office LAN web/email setup?

These are the outgoing ports it looks like I need:

smtp 25 tcp
pop3 110 tcp
ftp 20-21 tcp (for downloading only, not serving)
dns 53 tcp+udp
http 80 tcp
https 443 tcp
timeserver 123 udp

Have I missed anything? and are those ports correct? With ftp I wasn't
sure if I need 20 & 21 or just 21. We also have Windows Update and
Norton AV running, do these use port 80 for getting stuff or do they
have dedicated ports?

We have all incoming ports blocked at present, though I notice that my
personal firewall rules at home have the timeserver and ftp ports open
both in and out, I'm not sure if that's right or not - I seem to recall
that ftp uses 21 out and 20 in.

--
__________________________________________________ ____

If only one could get that wonderful feeling of
accomplishment without having to accomplish anything.
__________________________________________________ ____
Take a break at the Last Stop Cafe: http://www.xerez.demon.co.uk/
Reply-to address for email: mailreply AT xerez.demon.co.uk

On Tue, 21 Jun 2005 21:08:51 UTC, Shez
<(E-Mail Removed)> wrote:

> I want to tighten up our office ADSL router's rules on outgoing traffic
> to reduce the risk from malware. The question is, what ports are
> essential for a basic office LAN web/email setup?
>
> These are the outgoing ports it looks like I need:
>
> smtp 25 tcp
> pop3 110 tcp
> ftp 20-21 tcp (for downloading only, not serving)
> dns 53 tcp+udp
> http 80 tcp
> https 443 tcp
> timeserver 123 udp
>
> Have I missed anything? and are those ports correct? With ftp I wasn't
> sure if I need 20 & 21 or just 21.

FTP isn't quite as simple as that, though. And as for other
ports..you'll just have to see what works and what doesn't...then
perhaps open other ports. And, if you have the option, not allow packets
without TCP ACK set in many cases.

I'd recommend getting a good book - e.g. the O'Reilly firewall book (by
Zwicky et. al.) as it gives lots of useful help.
--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

On Tue, 21 Jun 2005 22:08:51 +0100,it is alleged that Shez
<(E-Mail Removed)> spake thusly in
uk.telecom.broadband:

[snip]
>We also have Windows Update and
>Norton AV running, do these use port 80 for getting stuff or do they
>have dedicated ports?

Just ran Windows Update with the packet monitor running, all the
connections seemed to be normal http on port 80 or https on port 443,
during the scanning, downloading and installing phases. I don't have
any Symantec products that need liveupdate, so can't help on that one.

--
In those days spirits were brave, the stakes were high, men were REAL men,
women were REAL women, and small furry creatures from Alpha Centauri were
REAL small furry creatures from Alpha Centauri.
- The Hitchhiker's Guide to the Galaxy

Shez wrote on Tue, 21 Jun 2005 22:08:51 +0100:

> I want to tighten up our office ADSL router's rules on outgoing traffic
> to reduce the risk from malware. The question is, what ports are
> essential for a basic office LAN web/email setup?
>
> These are the outgoing ports it looks like I need:
>
> smtp 25 tcp
> pop3 110 tcp

If you can manage it, restrict these to allow access only to the SMTP and
POP3 servers outside of your LAN that you need access to. This will prevent
downloading mail from other mail providers (eg. from a non-virus checked
mail account), and prevent malware that does get on your systems from
sending out using it's own SMTP engine. Also check with your mail provider -
many now require mail that is being sent to non-local accounts (ie outside
your own domain) to be sent to port 587 with authenticated SMTP, if that's
the case then don't open 25 out all, just 587.

> ftp 20-21 tcp (for downloading only, not serving)

You might need more than that, depending on whether the ftp is passive or
active. 20 & 21 are the standards ports, but ports over 1024 incoming are
required if the ftp server isn't able to handle passive connections and your
router doesn't understand the ftp protocol to automatically open the
appropriate ports using stateful inspection as needed.

> dns 53 tcp+udp

tcp is only normally needed for zone transfers of large amounts of data.
Normal DNS lookups will rarely, if at all, use tcp.

> http 80 tcp
> https 443 tcp

>
> timeserver 123 udp
>

Have you considered setting up only one machine in your network to sync
with a timeserver, and have all other machines sync with that (either using
an ntp broadcast from the server with ntp clients running on each machine,
or if it's a Windows domain server you only need to update the time on that
machine for Windows clients to be automatically updated).

> Have I missed anything? and are those ports correct? With ftp I wasn't
> sure if I need 20 & 21 or just 21. We also have Windows Update and
> Norton AV running, do these use port 80 for getting stuff or do they
> have dedicated ports?

As already mentioned, 80 and 443.

> We have all incoming ports blocked at present, though I notice that my
> personal firewall rules at home have the timeserver and ftp ports open
> both in and out, I'm not sure if that's right or not - I seem to recall
> that ftp uses 21 out and 20 in.

Not quite - 21 is the command port, 20 is the data port for active ftp but
is the source port from the server. You should only need to open port 21 for
ftp.

Dan

Spack <(E-Mail Removed)> wrote:
> Shez wrote on Tue, 21 Jun 2005 22:08:51 +0100:
>
>> I want to tighten up our office ADSL router's rules on outgoing traffic
>> to reduce the risk from malware. The question is, what ports are
>> essential for a basic office LAN web/email setup?
>>
>> These are the outgoing ports it looks like I need:
>>
>> smtp 25 tcp
>> pop3 110 tcp
>
> If you can manage it, restrict these to allow access only to the SMTP and
> POP3 servers outside of your LAN that you need access to. This will prevent
> downloading mail from other mail providers (eg. from a non-virus checked
> mail account), and prevent malware that does get on your systems from
<snip>
>> ftp 20-21 tcp (for downloading only, not serving)
>
> You might need more than that, depending on whether the ftp is passive or
> active. 20 & 21 are the standards ports, but ports over 1024 incoming are
> required if the ftp server isn't able to handle passive connections and your
> router doesn't understand the ftp protocol to automatically open the
> appropriate ports using stateful inspection as needed.

I'm sure I saw a FTP proxy somewhere.