From: lemke @
MITL .
Research .
Panasonic .
COM (Kennedy Lemke)
Date: Thu, 24 Mar 1994 17:52:58 -0500
We use an IP filtering scheme for our internet gateway. We allow packets
over port 1024 through to allow for outgoing ftp, telnet, etc., and we
only allow packets on certain ports below 1024 through (DNS, SMTP, etc.).
But we specifically DISallow X packets (6000-6010), and openwindows
packets (2000-2010) for example. Are there any other specific packets
that should be disallowed over 1024? For example, are Xview packets
in the 2000 range, or 3000 range. Other packets? Thank you.
You should consider blocking tcp:7000-7002 where AFS listens and
tcp:2049 where some configurations of NFS listen.
Why so many of the ports above 2000?
I thought each of these ports corresponded to a display "head" and blocking
access to up to 5 or so per computer was paranoid enough.
Please post back here any new holes people tell you about :-)
These "dynamic port" services are fun because you can't look them up as an
assigned number. All we can do is help each other.
<- John
|
|
