Ports for emule?
I changed a friend's Internet access from USB modem to a router/firewall (Vigor 2600VG). Now it seems that his son can't use emule because the firewall is blocking the ports. My friend uses his pc for business & the pc must be secure. The 2 computers (father + son) are in the same IP address range, but are not using network sharing.
If I open a load of ports for emule on the router (4661, 4662, 4665, 4672, 4711) what does this mean security-wise for the business computer? |
It increases the risk. You friend should look at what his son is using emule for then decide if it's worth the risk to his business.
|
plus he will be damning himself to the firey pit for all of eternity.........................
(or something eh jack tell em!!) |
Well done my son, your training is nearly complete.
|
Thanks Jack
What can actually happen to the accounts computer? Could it get hacked though the open ports, or would he have to be running emule to be hacked? (He is using XP Pro SP2 & integral SP2 firewall + McAfee Virusscan 2006 - just the anti-virus version). If I opened the ports & forwarded them to his son's internal IP address, would that then risk the accounts computer? |
Which ever way you look at it, they share a network. Ask the administrators of networks on here if they allow some machines access to the ports used for emule. Even the slightest risk is still a risk that most wouldn't take.
|
The golden rule for access is: None.
You restrict ALL ports by default and then open up the ones you want. ONLY the ones you want. If you run a local firewall on each p..c in the scenario above - and restrict the emule ports on the fathers machine it will give SOME protection. However, if the sons p.c. IS compromised then this is the backdoor to the fathers - unless the two machines are restricted from each other. |
Thanks guys
My preference is to not open the ports, but it's a request from an old freind & I need to be sure if I say "no". The father's pc is on the same IP range (192.168.1.x), but is not sharing anything, also the workgroups are not the same name. Maybe I can suggest it's ok, but the accounts computer would need Zonealarm? |
Originally Posted by Kieran_Burns
However, if the sons p.c. IS compromised then this is the backdoor to the fathers - unless the two machines are restricted from each other.
|
Originally Posted by Nick
Assume that the son's computer is constantly compromised (it's a typical student computer... in a mess). How do I restrict them from each other?
also edited to add, Mcafee will help with the virus trapping side of things edited to add again (doh) the vigor has an option to set separate VLANs on the 4 ports. On my 2600G its in the VLAN/Rate Control menu. Enable it and tick the boxes to put them on separate networks, this should as good as isolate the PC's from each other |
Originally Posted by mike1210
edited to add again (doh) the vigor has an option to set separate VLANs on the 4 ports. On my 2600G its in the VLAN/Rate Control menu. Enable it and tick the boxes to put them on separate networks, this should as good as isolate the PC's from each other
|
Originally Posted by Nick
That's great - thanks very much! The SP2 Firewall is already enabled on the business computer. So I can open the relevant ports, put the 2 pcs on separate vlans, do I suggest that the business pc also has ZOnelarm installed to protect the open emule ports?
Putting the PC's on seperate VLANS really is a brick wall defence. The son computer could not access the other computer in any way so you are safe there. Zonealarm? Its up to you, what i do is use the Firewall packet filter on the router to only allow certain ports out onto the net. By default on the draytek routers, all traffic leaving the network is allowed, which isn't good if a virus gets on to your machine. If youre interested what i do bind IP to Macs, and setup outgoing rules for each machine on the network. First rules being block if no further match rules for both TCP and UDP traffic. Then create rules so certain IP's can go out on certain ports for example UDP port 53 DNS lookups (would be needed for the net) Port 80 HTTP - General Internet Port 443 HTTPS - Secure Internet PM me if you want to do it this way its a bit fiddly but works really well, the FAQ's on the draytek site have great info in them (www.draytek.co.uk) One + for Zone alarm is that it can restrict outgoing traffic by application (ie it will tell you when something is trying to go out from the PC). Routers do this to some extent but you need to know What protocol and ports the application uses |
All times are GMT +1. The time now is 04:07 AM. |
© 2024 MH Sub I, LLC dba Internet Brands