We help IT Professionals succeed at work.

Firewall Rulesets 101 - directionality.

awakenings asked
Last Modified: 2013-11-16
I wanted to get someone with the benefit of more experience on a few things.  Assume a stateful firewall.  I'm trying to determine the direction that rulesets should be created for a few types of services.  One of the things that confuses me is that each protocol has both tcp and udp.  From what I understand, if it is TCP, a stateful firewall will create and inbound connection for that state.  A stateless firewall will not.  UDP, not paying attention to state, will require inbound connectivity for UDP responses?  That seems wrong to me though.  Any rules of thumb that you can mention would be greatly appreciated.  I filled in the information I was fairly sure of.  Any help is appreciated.

RPC Endpoint Mapper        135/tcp              Outbound       AD Servers
RPC Endpoint Mapper        135/udp                                AD Servers
NetBIOS Name                   137/tcp                 Outbound       AD Servers
NetBIOS Name                   137/udp                Outbound      AD Servers
NetBIOS Datagram         138/udp            AD Servers
NetBIOS Session                    139/tcp               AD Servers
RPC Dynamic Assignment      1024-65535/tcp      Outbound      AD Servers
SMB over IP                      445/tcp                   Outbound         Anywhere we need to get to shares
SMB over IP                      445/udp                  Outbound        Anywhere we need to get to shares
LDAP                                 389/tcp              Outbound      AD Servers
LDAP Ping                       389/udp           Outbound         AD Servers
LDAP over SSL                    636/tcp                 Outbound       AD Servers
GC LDAP                               3268/tcp                             AD Servers
GC LDAP over SSL          3269/tcp                                 AD Servers
Kerberos                       88/tcp                                       AD Servers
Kerberos                       88/udp                                      AD Servers
DNS                                 53/tcp                                 AD DNS Servers
DNS                                 53/udp                                AD DNS Servers
NTP                                 123/tcp                                NTP Server
NTP                                 123/udp                               NTP Server
ICMP                                                           Inbound                  
Antivirus                         tcp 1024-5000     Bidirectional   AV Server
SSH                                 tcp/22                Outbound      Anywhere we may need
HTTP                                80/tcp               Outbound      Internet
HTTPS                               443/tcp             Outbound            Internet
SMB (Linux)                                             Outbound      Internet
ISAKMP                               500/tcp              Outbound      
ISAKMP                               500/udp            
POP      110/tcp                                                                         Email Server
POP      110/udp                                                                         Email Server
SMTP      25/tcp                                                                        Email Server
SMTP      25/udp            
tn3270      246/tcp                                                                        Mainframe
tn3270      246/udp                                                                      
Watch Question

Les MooreSystems Architect
Top Expert 2008
This one is on us!
(Get your first solution completely free - no credit card required)



    Thanks, that does clear up a few things.  The DNS we are using the encrypted AD DNS so we do have TCP in our DNS entries.  The outbound was the permitted traffic I would like to have as there is an implicit deny all on ourfirewall.
    It is confusing looking at the port list as they do list both TCP and UDP, but they don't mention standards.
    What do you mean by SPI?  I didn't realize it was possible to maintain true state in UDP due to the connectionless nature.  It seems, and I may be wrong, that it would have to be a pseudo statefulness for UDP - just assuming the UDP traffic is acceptable due to IP address and possibly the port something similar.
    So, to round up, is there a good firewall rule set sight for looking up some of this information?  I still have questions about a few of the above.  If you can copy, past, and make corrections, that would be great.  I'm still looking up ports and such.

Thanks for everything!
Software Engineer
Distinguished Expert 2019
This one is on us!
(Get your first solution completely free - no credit card required)
nociSoftware Engineer
Distinguished Expert 2019

BTW, "netstat -an" will tell you what ports are opened on what protocol.....
for 135 & 88


Thanks Noci...  I learned alot from reading this and going over my notes very carefully.  I checked the syslog for 135 and 88.  It is strange, the M$ documentation says it needs tcp and UDP.  When I examine syslog, it appears only tcp is used.  I have a few other questions, but I'll give you two your points and ask another question when I have time to regroup specific questions.  I guess the best resource for checking how traffic flows is the RFC's.  That will now be my new tool.

Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.