One of the cool little features of our hosted security tools are the "firewall hints", which are available as a link for a host that has been scanned at least one time. It appears underneath the list of ports and what is running on them.
If the operating system has been detected by Nmap, then the command
line information is appropriate for that OS. If the OS has not yet been
detected, then Secure Trends shows command line hints for all the
operating systems it can. ST shows you how to set up your firewall to
allow outbound Internet traffic, but blocks inbound Internet traffic
except to the ports currently detected by Nmap. Don't want a port open?
Copy the ST firewall hints to a text editor, remove the line that would
open access to that port, then paste to the command-line of the machine
you need to lock down.
Windows firewall rules by command-line
Windows XP service pack 2 (SP2) and Windows 2003 have a built-in firewall. It's actually a decent little inbound port-blocking firewall. But almost nobody uses it. I'm a fan of not spending money so why would I buy another port-based firewall if Windows already has one? Here are the command-line firewall hints for a Windows host scanned by Secure Trends:
netsh firewall set opmode ENABLE
netsh firewall set notifications ENABLE
netsh firewall set logging %windir%\pfirewall.log 4096 ENABLE
netsh firewall set portopening TCP 7 echo
netsh firewall set portopening TCP 9 discard
netsh firewall set portopening TCP 13 daytime
netsh firewall set portopening TCP 17 qotd
netsh firewall set portopening TCP 19 chargen
netsh firewall set portopening TCP 42 wins
netsh firewall set portopening TCP 53 domain
netsh firewall set portopening TCP 80 http
netsh firewall set portopening TCP 135 msrpc
netsh firewall set portopening TCP 139 netbios-ssn
netsh firewall set portopening TCP 445 microsoft-ds
netsh firewall set portopening TCP 1025 msrpc
netsh firewall set portopening TCP 3389 microsoft-rdp
netsh firewall set portopening TCP 5800 vnc-http
netsh firewall set portopening TCP 5900 vnc
netsh firewall set portopening TCP 5901 vnc
I'm sure you're wondering who runs all of this junk? Not me. What does this all mean?
- netsh firewall set opmode ENABLE -- This turns on the firewall.
- netsh firewall set notifications ENABLE -- Changes to the firewall from the command-line will generate console gui alerts.
- netsh firewall set logging %windir%\pfirewall.log 4096 ENABLE -- Logs up to 4k of firewall changes to the file pfirewall.log.
- netsh firewall set portopening TCP 7 echo -- Allows computers on the network to access the "echo" service on this computer.
What if you wanted to shut off access to the echo service? No one should be using echo anyway. You could issue this command if you had already explicitly opened up the echo port:
netsh firewall set portopening TCP 7 echo disable
To learn more about the Windows firewall, either using the command-line or the gui, you can check out this article: http://lantoolbox.com/network-administration/articles/configure-windows-firewall-using-command-line/
What if I'm running Windows 2000 or XP without SP2?
If you need a free command-line firewall for a slightly older Windows, check out the WIPFW project. It is essentially a port of BSD's ipfw port blocking tools to the Windows platform. If you're using Secure Trends, you can copy and paste the firewall hints for BSD and use them on your Windows box.
What other operating systems can do this kind of thing?
Linux has iptables from the folks at Netfilter and *BSD has ipfw which is developed by FreeBSD. Secure Trends can give firewall hints for both of these. Solaris probably has something, but as we don't have access to a Solaris box or the freedom to potentially break it, it isn't included yet.
Comments