This documents describes a network connection from a company network to the Internet (as seen from a CISCO routers point of view). This document is by no means complete. Do not just copy information and paste it to your security policy.
| General Setup Rules | Notes |
| No ip spoofed ip traffic | Connections to external interfaces pretending to be from internal networks |
| no source routed frames | To prevent from getting faked routing information |
| no fragmented ip traffic | To prevent spoofs of TCP / UDP based filter rules |
| no icmp bombing of external sites | To prevent slowdowns on external networks and denial of service attacks |
| no tcp syn flooding of external sites | To prevent slowdowns on external networks and denial of service attacks |
ext-ns is the external nameserver for all domains.
| Rule | Direction | Source
Address |
Destination Address |
Protocol | Source
Port |
Destination Port |
ACK
Bit set |
Notes |
|---|---|---|---|---|---|---|---|---|
| DNS1 | In | Ext | ext-ns | UDP | >1023 | 53 | - | Incoming query via
UDP, client to external Nameserver |
| DNS2 | Out | ext-ns | Ext | UDP | 53 | >1023 | - | Answer to incoming UDP
query, external nameserver to client |
| DNS3 | In | Ext | ext-ns | TCP | >1023 | 53 | not set on first packet (establish) but on rest |
Incoming query via
TCP, client to external nameserver |
| DNS4 | Out | ext-ns | Ext | TCP | 53 | >1023 | Yes | Answer to incoming TCP
query, server to client |
| DNS5 | Out | ext-ns | Ext | UDP | >1023 | 53 | - | Outgoing query via
UDP, client to server |
| DNS6 | In | Ext | ext-ns | UDP | 53 | >1023 | - | Answer to outgoing UDP
query, server to client |
| DNS7 | Out | ext-ns | Ext | TCP | >1023 | 53 | not set on first packet (establish) but on rest |
Outgoing query via
TCP, client to server |
| DNS8 | In | Ext | ext-ns | TCP | 53 | >1023 | Yes | Answer to ongoing TCP
query, server to client |
| DNS9 | In | Ext | ext-ns | UDP | 53 | 53 | - | Query or response between
ext-ns and external servers via UDP |
| DNS10 | Out | ext-ns | Ext | UDP | 53 | 53 | - | Query or response between
ext-ns and external servers via UDP |
| DNS11 | In | Ext | ext-ns | TCP | >1023 | 53 | not set on first packet, (establish)but on rest |
Query from external
server to ext-ns via TCP or zone transfer request (Idea: use xfernets option in bind to ensure that zone transfers are only possible from ligitimate partners |
| DNS12 | Out | ext-ns | Ext | TCP | 53 | >1023 | Yes | Answer from ext-ns to
external server via TCP or zone transfer response to external secondary via TCP |
| DNS13 | Out | ext-ns | Ext | TCP | >1023 | 53 | not set on first packet, (establish)but on rest |
Query from ext-ns to
external server via TCP |
| DNS14 | In | Ext | ext-ns | TCP | 53 | >1023 | Yes | Answer from external
server to ext-ns via TCP |
ext-ns is the external mail exchanger for all domains hosted in location. Allow SMTP traffic from external networks to ext-ns and vice versa. Do NOT allow POP!
| Rule | Direction | Source
Address |
Destination Address |
Protocol | Source
Port |
Destination Port |
ACK
Bit set |
Notes |
|---|---|---|---|---|---|---|---|---|
| SMTP1 | In | Ext | ext-ns | TCP | >1023 | 25 | not set on first packet, (establish)but on rest |
Incoming mail, sender to recipient |
| SMTP2 | Out | ext-ns | Ext | TCP | 25 | >1023 | Yes | Incoming mail, recipient to sender |
| SMTP3 | Out | ext-ns | Ext | TCP | >1023 | 25 | not set on first packet (establish) but on rest |
Outgoing mail, sender to recipient |
| SMTP4 | In | Ext | ext-ns | TCP | 25 | >1023 | Yes | Outgoing mail, recipient to sender |
ftp.domain.de is the external ftp server for all
domains hosted in location. Allow FTP traffic from external networks to
ftp.domain.de and vice versa. Allow ftp connects to webfarms (in new
customer network)
| Rule | Direction | Source
Address |
Destination Address |
Protocol | Source
Port |
Destination Port |
ACK
Bit set |
Notes |
|---|---|---|---|---|---|---|---|---|
| FTP1 | In | Ext | ftp.domain.de, webfarms, firewall |
TCP | >1023 | 21 | not set on first packet, (establish)but on rest |
Incoming ftp request |
| FTP2 | Out | ftp.domain.de, webfarms, firewall |
Ext | TCP | 21 | >1023 | Yes | Response to incoming request |
| FTP3 | Out | Ext | ftp.domain.de, webfarms, firewall |
TCP | 20 | >1023 | not set on first packet (establish) but on rest |
Data channel creation for incoming FTP request, normal mode (NOT PASV) |
| FTP4 | In | Ext | ftp.domain.de, webfarms, firewall |
TCP | >1023 | 20 | Yes | Data channel responses for incoming FTP request, normal mode |
| FTP5 | In | Ext | ftp.domain.de, webfarms, firewall |
TCP | >1023 | >1023 | not set on first packet (establish) but on rest |
Data channel creation for incoming FTP request, passive mode (PASV) |
| FTP6 | Out | ftp.domain.de, webfarms, firewall |
Ext | TCP | >1023 | >1023 | Yes | Data channel responses for incoming FTP request, passive mode |
| FTP7 | Out | ftp.domain.de, webfarms, firewall |
Ext | TCP | >1023 | 21 | not set on first packet (establish) but on rest |
Outgoing FTP request |
| FTP8 | In | Ext | ftp.domain.de, webfarms, firewall |
TCP | 21 | >1023 | Yes | Response to outgoing request |
| FTP9 | In | Ext | ftp.domain.de, webfarms, firewall |
TCP | 20 | >1023 | not set on first packet (establish) but on rest |
Data channel creation for outgoing FTP request, normal mode |
| FTP10 | Out | ftp.domain.de, webfarms, firewall |
Ext | TCP | >1023 | 20 | Yes | Data channel responses for outgoing FTP request, normal mode |
| FTP11 | Out | ftp.domain.de, webfarms, firewall |
Ext | TCP | >1023 | >1023 | not set on first packet (establish) but on rest |
Data channel creation for outgoing FTP request, passive mode |
| FTP12 | In | Ext | ftp.domain.de, webfarms, firewall |
TCP | >1023 | >1023 | Yes | Data channel responses for outgoing FTP request, passive mode |
Allow http traffic for incoming/outgoing
connects.
| Rule | Direction | Source
Address |
Destination Address |
Protocol | Source
Port |
Destination Port |
ACK
Bit set |
Notes |
|---|---|---|---|---|---|---|---|---|
| HTTP1 | In | Ext | webfarms | TCP | >1023 | 80 (or other Ports that run httpd daemons) |
not set on first packet, (establish)but on rest |
Incoming session client to server in webfarm |
| HTTP2 | Out | webfarms | Ext | TCP | 80 | >1023 | Yes | Reply packets to external webclients from webfarm |
| HTTP3 | Out | proxy-farm | Ext | TCP | >1023 | Any (Problem with nonstandard Web Sites) |
not set on first packet, (establish)but on rest |
Outgoing HTTP from proxyfarm to Ext |
| HTTP4 | In | Ext | proxy-farm | TCP | Any | >1023 | Yes | Reply packets to outgoing proxy connects |
Allow nntp traffic from external news server
(provider) to external newsserver (own network).
| Rule | Direction | Source
Address |
Destination Address |
Protocol | Source
Port |
Destination Port |
ACK
Bit set |
Notes |
|---|---|---|---|---|---|---|---|---|
| NNTP1 | In | external newsfeed |
external newsfeed in DMZ |
TCP | >1023 | 119 | not set on first packet, (establish)but on rest |
Incoming news to external SBS news site |
| NNTP2 | Out | external newsfeed in DMZ |
external newsfeed |
TCP | 119 | >1023 | Yes | Reply packets to incoming news |
| NNTP3 | Out | external newsfeed in DMZ |
external newsfeed |
TCP | >1023 | 119 | not set on first packet, (establish)but on rest |
Outgoing news to external newsfeed |
| NNTP4 | In | external newsfeed |
external newsfeed in DMZ |
TCP | 119 | >1023 | Yes | Outgoing news responses to external newsfeed |
Allow telnet only for outgoing traffic.
| Rule | Direction | Source
Address |
Destination Address |
Protocol | Source
Port |
Destination Port |
ACK
Bit set |
Notes |
|---|---|---|---|---|---|---|---|---|
| TELNET1 | Out | firewall | Ext | TCP | >1023 | 23 | not set on first packet, (establish)but on rest |
Outgoing telnet from firewall to external sites |
| TELNET2 | In | Ext | firewall | TCP | 23 | >1023 | Yes | Reply packets to outgoing telnet |
Allow ssh traffic for incoming/outgoing
connects.
| Rule | Direction | Source
Address |
Destination Address |
Protocol | Source
Port |
Destination Port |
ACK
Bit set |
Notes |
|---|---|---|---|---|---|---|---|---|
| SSH1 | Out | firewall | Ext | TCP | >1023 | 22 | not set on first packet, (establish)but on rest |
Outgoing ssh from firewall to external sites |
| SSH2 | In | Ext | firewall | TCP | 22 | >1023 | Yes | Reply packets to outgoing ssh |
| SSH3 | In | Ext | sshd enabled hosts (all hosts in the DMZ) |
TCP | >1023 | 22 | not set on first packet, (establish)but on rest |
Incoming ssh from external sites to DMZ |
| SSH4 | Out | sshd enabled hosts (all hosts in the DMZ) |
Ext | TCP | 22 | >1023 | Yes | Reply packets to incoming ssh |
Last
modified: Mon Oct 27 15:42:36 MET 1997