Re: deny !Safe_ports, any critical reasons? (abuse..)

From: Jordan Mendelson <jordy@dont-contact.us>
Date: Thu, 07 Jan 1999 10:16:22 -0500

Chris Wedgwood wrote:
>
> On Thu, Jan 07, 1999 at 02:24:01PM +1300, Jason Haar wrote:
>
> > acl unsafe_ports port 1 7 9 11 13 15 17 19 20 22 23 25 26 27 37 43
> > 53 57 70 77 79 87 88 95 101 102 103 109 110 110 111 111 113 115 117
> > 119 123 137 138 143 144 465 563 512 513 514 515 520 526 530 531 532
> > 540 543 544 556 600 749 750 751 754 992 993 995 989 990 442 465 563
> > 992 993 994 995 989 990 901 1080
>
> OK -- this still leaves plenty of ports people might do bad things
> with.
>
> I think a policy of 'allow all except some' is generally a bad idea;
> 'allow none except some' is better IMO.
>
> (Off the top of my head) Your list doesn't include 21 (ftp command),
> 139 (Windows NetBIOS), 135 (Windows DCOM), 1433 (MS SQL server), 7010
> (common Sybase SQL server), etc.

The deny-all-but-some works fairly well for us since we do transparent
proxying. The only port that any user should ever hit our Squid server
with is port 80. I personally have a few machines configured to use the
proxy, so port 21/20 were added for FTP as well as port 443 for SSL, and
port 8080 for the defacto-standard alternate web port as well as 3128.

However there is always going to be odd ports which web servers reside
on. I'd recommend deny all but some policy for corporate users, but
never for a service provider.

Jordan

--
Jordan Mendelson     : http://jordy.wserv.com
Web Services, Inc.   : http://www.wserv.com
Received on Thu Jan 07 1999 - 08:12:32 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST