Suggested Perimeter Network TCP/IP Filters
March 11, 2010Carefully consider which TCP/IP services will be allowed through and to the perimeter routers and firewalls (inbound and outbound). Use the following guidelines for creating filters: those services that are not explicitly permitted are prohibited. The following tables present common services to restrict because they can be used to gather information about the protected network or they have weaknesses that can be exploited against the protected network.
1) Table 1 lists those TCP or UDP servers that should be completely blocked at the perimeter router or firewall. These services should not be allowed across the router or the firewall in either direction. Also, they should not be allowed to the router or the firewall.
2) Table 2 lists those TCP or UDP servers on the protected network, on the router or on the firewall that should not be accessible by external clients.
3) Table 3 lists the common TCP or UDP servers on the protected network, on the router or on the firewall that may need some access by internal or external clients and servers. Many of these services can be filtered to the few authorized computers (e.g., ftp server, mail server, domain name server, web server) on the protected network or on the DMZ subnet.
4) Table 4 lists the ICMP message types that can be allowed outbound from the protected network, while all other message types should be blocked.
In general, the administrator should create filters focusing on what services and hosts are permitted and denying everything else. This method means that one may not need to block each service in the tables below with a specific filter statement. Finally, use an intrusion detection system on the protected network to monitor the TCP/IP traffic that is allowed past the perimeter routers and firewalls.
Table 1:
TCP or UDP Servers to Completely Block at the Perimeter Router / Firewall
| Port(s) (Transport) |
Server |
Port(s) (Transport) |
Server |
| 1 (TCP & UDP) |
tcpmux |
1981 (TCP) |
Shockrave |
| 7 (TCP & UDP) |
echo |
1999 (TCP) |
BackDoor |
| 9 (TCP & UDP) |
discard |
2001 (TCP) |
Trojan Cow |
| 11 (TCP & UDP) |
systat |
2023 (TCP) |
Ripper |
| 13 (TCP & UDP) |
daytime |
2049 (TCP & UDP) |
nfs |
| 15 (TCP & UDP) |
netstat |
2115 (TCP) |
Bugs |
| 17 (TCP & UDP) |
qotd |
2140 (TCP) |
Deep Throat |
| 19 (TCP & UDP) |
chargen |
2222 (TCP) |
Subseven21 |
| 37 (TCP & UDP) |
time |
2301 (TCP & UDP) |
compaqdiag |
| 43 (TCP & UDP) |
whois |
2565 (TCP) |
Striker |
| 67 (TCP & UDP) |
bootps |
2583 (TCP) |
WinCrash |
| 68 (TCP & UDP) |
bootpc |
2701 (TCP & UDP) |
sms-rcinfo |
| 69 (UDP) |
tftp |
2702 (TCP & UDP) |
sms-remctrl |
| &nbs p; 93 (TCP) |
supdup |
2703 (TCP & UDP) |
sms-chat |
| 111 (TCP & UDP) |
sunrpc |
2704 (TCP & UDP) |
sms-xfer |
| 135 (TCP & UDP) |
loc-srv |
2801 (TCP) |
Phineas P. |
| 137 (TCP & UDP) |
netbios-ns |
4045 (UDP) |
lockd |
| 138 (TCP & UDP) |
netbios-dgm |
5800 – 5899 (TCP) |
winvnc web server |
| 139 (TCP & UDP) |
netbios-ssn |
5900 – 5999 (TCP) |
winvnc |
| 177 (TCP & UDP) |
xdmcp |
6000 – 6063 (TCP) |
X11 Window System |
| 445 (TCP & UDP) |
microsoft-ds |
6665 – 6669 (TCP) |
irc |
| 512 (TCP) |
rexec |
6711 – 6712 (TCP) |
Subseven |
| 513 (TCP) |
rlogin |
6776 (TCP) |
Subseven |
| 513 (UDP) |
who |
7000 (TCP) |
Subseven21 |
| 514 (TCP) |
rsh, rcp, rdist, rdump, rrestore |
12345 – 12346 (TCP) |
NetBus |
| 515 (TCP) |
lpr |
16660 (TCP) |
Stacheldraht |
| 517 (UDP) |
talk |
27444 (UDP) |
Trinoo |
| 518 (UDP) |
ntalk |
27665 (TCP) |
Trinoo |
| 540 (TCP) |
uucp |
31335 (UDP) |
Trinoo |
| 1024 (TCP) |
NetSpy |
31337 – 31338 (TCP & UDP) |
Back Orifice |
| 1045 (TCP) |
Rasmin |
32700 – 32900 (TCP & UDP) |
RPC services |
| 1090 (TCP) |
Xtreme |
33270 (TCP) |
Trinity V3 |
| 1170 (TCP) |
Psyber S.S. |
39168 (TCP) |
Trinity V3 |
| 1234 (TCP) |
Ultors Trojan |
65000 (TCP) |
Stacheldraht |
| 1243 (TCP) |
Backdoor-G |
|
/> |
| 1245 (TCP) |
VooDoo Doll |
|
|
| 1349 (UDP) |
Back Orifice DLL |
|
|
| 1492 (TCP) |
FTP99CMP |
|
|
| 1600 (TCP) |
Shivka-Burka |
|
|
| 1761 – 1764 (TCP & UDP) |
sms-helpdesk |
|
|
| 1807 (TCP) |
SpySender |
|
|
Table 2:
TCP or UDP Servo Block at the Perimeter Router/Firewall from External Clients
| Port(s) (Transport) |
Server |
| 79 (TCP) |
finger |
| 161 (TCP & UDP) |
snmp |
| 162 (TCP & UDP) |
snmp trap |
| 514 (UDP) |
syslog |
| 550 (TCP & UDP) |
new who |
Table 3:
TCP or UDP Servers to Allow Limited Access at the Perimeter Router/Firewall
| Port(s) (Transport) |
Server |
| 20 (TCP) |
ftpdata |
| 21 (TCP) |
ftp |
| 22 (TCP) |
ssh |
| 23 (TCP) |
telnet |
| 25 (TCP) |
smtp |
| 53 (TCP & UDP) |
domain |
| 80 (TCP) |
http |
| 110 (TCP) |
pop3 |
| 119 (TCP) |
nntp |
| 123 (TCP) |
ntp |
| 143 (TCP) |
imap |
| 179 (TCP) |
bgp |
| 389 (TCP & UDP) |
ldap |
| 443 (TCP) |
ssl |
| 1080 (TCP) |
socks |
| 3128 (TCP) |
squid |
| 8000 (TCP) |
http (alternate) |
| 8080 (TCP) |
http-alt |
| 8888 (TCP) |
http (alternate) |
| Message Types |
|
| Number |
Name |
| 4 |
source quench |
| echo request (ping) |
|
| 12 |
parameter problem |