spectrum48k

I'm setting up a new firewall appliance this weekend and am just making a note of the typical ports i'll need to open up for the network:

HTTP, 80
RDP, 3389
POP3, 110
SMTP, 25
VNC
PING
FTP, 21
DNS, 53, UDP
HTTPS, 443

anything else ?

bgood

iTrader: (2)

443 HTTPS

mike1210

I assume you mean going outwards

HTTPS i'd add

booooger beaten to it

mike1210

FTP may be an **** unless the firewall can inspect that protocol,

Out of interest what firewall is it?

mike1210

DNS Lookups also if for going out, UDP port 53

spectrum48k

draytek vigor 2930 firewall appliance
supports Stateful packet inspection, etc...

why would FTP be an "****" ? Can you enlighten me, as I'm a newbie with this stuff - do you mean from a port forwarding point of view over NAT ?

unfeasablylargegonads

iTrader: (3)

FTP & NAT:

The File Transfer Protocol (FTP) and Your Firewall / Network Address Translation (NAT) Router / Load Balancing Router

mike1210

Yes what big ***** said

My Cisco 877W copes with it fine but my old Draytek 2600 wouldn't, limiting outgoing ports. With no outgoing ports limited it will be fine.

as an example nero website, download via FTP it makes a port 21 connection and a random port above 1024, with block except certain ports this causes problems

IIRC the 3300 has an FTP inspect feature but I didn't see that on the 2930

Id also be wary of allowing VNC out as well, especially if it's unencypted (as VNC can be). RDP is encrypted but users can share there drives, this could introduce a virus onto the network. From a security dudes point of view

spectrum48k

good info, thanks for the link big bollocks

there's only 1 VNC connection, where a trusted remote client will be using it to remotely VPN into a workstation.

As for RDP, there's only me who'll use it to administer the workstations behind the firewall and I trust my Kaspersky to keep me clear of viri !

I'll check out the FTP issue