Go Premium for a chance to win a PS4. Enter to Win


Firewall Rulesets 101 - directionality.

Posted on 2006-07-11
Medium Priority
Last Modified: 2013-11-16
I wanted to get someone with the benefit of more experience on a few things.  Assume a stateful firewall.  I'm trying to determine the direction that rulesets should be created for a few types of services.  One of the things that confuses me is that each protocol has both tcp and udp.  From what I understand, if it is TCP, a stateful firewall will create and inbound connection for that state.  A stateless firewall will not.  UDP, not paying attention to state, will require inbound connectivity for UDP responses?  That seems wrong to me though.  Any rules of thumb that you can mention would be greatly appreciated.  I filled in the information I was fairly sure of.  Any help is appreciated.

RPC Endpoint Mapper        135/tcp              Outbound       AD Servers
RPC Endpoint Mapper        135/udp                                AD Servers
NetBIOS Name                   137/tcp                 Outbound       AD Servers
NetBIOS Name                   137/udp                Outbound      AD Servers
NetBIOS Datagram         138/udp            AD Servers
NetBIOS Session                    139/tcp               AD Servers
RPC Dynamic Assignment      1024-65535/tcp      Outbound      AD Servers
SMB over IP                      445/tcp                   Outbound         Anywhere we need to get to shares
SMB over IP                      445/udp                  Outbound        Anywhere we need to get to shares
LDAP                                 389/tcp              Outbound      AD Servers
LDAP Ping                       389/udp           Outbound         AD Servers
LDAP over SSL                    636/tcp                 Outbound       AD Servers
GC LDAP                               3268/tcp                             AD Servers
GC LDAP over SSL          3269/tcp                                 AD Servers
Kerberos                       88/tcp                                       AD Servers
Kerberos                       88/udp                                      AD Servers
DNS                                 53/tcp                                 AD DNS Servers
DNS                                 53/udp                                AD DNS Servers
NTP                                 123/tcp                                NTP Server
NTP                                 123/udp                               NTP Server
ICMP                                                           Inbound                  
Antivirus                         tcp 1024-5000     Bidirectional   AV Server
SSH                                 tcp/22                Outbound      Anywhere we may need
HTTP                                80/tcp               Outbound      Internet
HTTPS                               443/tcp             Outbound            Internet
SMB (Linux)                                             Outbound      Internet
ISAKMP                               500/tcp              Outbound      
ISAKMP                               500/udp            
POP      110/tcp                                                                         Email Server
POP      110/udp                                                                         Email Server
SMTP      25/tcp                                                                        Email Server
SMTP      25/udp            
tn3270      246/tcp                                                                        Mainframe
tn3270      246/udp                                                                      
Question by:awakenings
  • 2
  • 2
LVL 79

Assisted Solution

lrmoore earned 800 total points
ID: 17083105
Most of the protocols, although they have both TCP and UDP ports only use one or the other. Example:
ISAKMP = UDP/500 always
POP3 = TCP/110 always
SMTP = TCP/25 always
DNS = UDP/53 almost always - few dns features require tcp
HTTP = TCP/80 always

Outbound rule sets are configured to block certain traffic from leaving the network, like you don't want Netbios stuff leaking out..
Inbound rule sets are configured to allow specifiec traffic (www, ftp, email, etc) inbound that is not in response to internal hosts' requests - or unsolicited traffic
SPI is in the middle. outbound traffic that requires a response creates an entry in the state table. When a response comes back that matches up with the outbound request, then that response is allowed back in. The state table can handle both TCP and UDP, but some firewalls do a better job than others at maintaining the UDP state simply because it is by definition a "stateless" protocol. That doesn't mean that the firewall can't keep a table of an inside host sending a dns request to an external host and allow the expected reply..


Author Comment

ID: 17084211

    Thanks, that does clear up a few things.  The DNS we are using the encrypted AD DNS so we do have TCP in our DNS entries.  The outbound was the permitted traffic I would like to have as there is an implicit deny all on ourfirewall.
    It is confusing looking at the port list as they do list both TCP and UDP, but they don't mention standards.
    What do you mean by SPI?  I didn't realize it was possible to maintain true state in UDP due to the connectionless nature.  It seems, and I may be wrong, that it would have to be a pseudo statefulness for UDP - just assuming the UDP traffic is acceptable due to IP address and possibly the port something similar.
    So, to round up, is there a good firewall rule set sight for looking up some of this information?  I still have questions about a few of the above.  If you can copy, past, and make corrections, that would be great.  I'm still looking up ports and such.

Thanks for everything!
LVL 40

Accepted Solution

noci earned 1200 total points
ID: 17086405
There has been an administrative goofup in the past. The services files didn't state UDP or TCP just a port number.
And some use both like DNS. So officially 23/tcp and 23/udp have been handed out to the telnet designers,
only 23/tcp is used, but officially also 23/UDP had been handed out... thats why the assigned numbers
has both mentioned in the list.
This was changed later (See ssh 22/tcp).

Many protocols use either TCP or UDP. It doesn't make send to allow UDP 80 as HTTP because there are no
UDP 80 webservers.
IF you want to make sure lookup the RFC for a particular protocol. That will probably tell it exactly.

Not realy sure, I thought only TCP was used...
RPC Endpoint Mapper       135/tcp             Outbound       AD Servers
RPC Endpoint Mapper       135/udp                              AD Servers
Kerberos                      88/tcp                                     AD Servers
Kerberos                      88/udp                                    AD Servers

As stated in line...
NetBIOS Name                  137/udp               Outbound     AD Servers
NetBIOS Datagram        138/udp          AD Servers
NetBIOS Session                   139/tcp             AD Servers
Netbios Session (like 139 over SSL)                      445/tcp                  Outbound        Anywhere we need to get to shares
LDAP                                389/tcp             Outbound      AD Servers
LDAP Ping                      389/udp          Outbound        AD Servers
LDAP over SSL                   636/tcp                Outbound      AD Servers
GC LDAP                              3268/tcp                           AD Servers
GC LDAP over SSL         3269/tcp                               AD Servers
DNS                                53/tcp                               AD DNS Servers        ; used for transfer
DNS                                53/udp                              AD DNS Servers        ; used for queries
NTP                                123/udp                             NTP Server
SSH                                tcp/22               Outbound     Anywhere we may need
HTTP                               80/tcp              Outbound     Internet
HTTPS                              443/tcp            Outbound           Internet
ISAKMP                              500/udp          
POP     110/tcp                                                                       Email Server
SMTP     25/tcp                                                                      Email Server
tn3270     246/tcp                                                                      Mainframe

The following is a collection of protocols:
SMB (Linux)                                           Outbound     Internet
137, 138/UDP
139, 445/TCP
And you generaly don't want them on or from the internet....

The following are not TCP or UDP portnumbers but belong to: /etc/protocols
like UDP, TCP and ICMP themselves

ICMP 1       has no concept of ports
UDP 17      uses ports to differentiate services
TCP 6        uses ports to differentiate services
ESP 50       has no concept of ports, IPSEC VPN Tunnel
AH      51   has no concept of ports, IPSEC AUTHENTICATION (deprecated)

State full inspection will help with analyzing FTP and RPC like protocols and auto-generate rules needed
after negotiation and don't need rules like the broad openings like these. The RPC Dynamic will also allow
the GC LDAP (& SSL) to do outbound.

This doesn't make sense.... (protocol wise, probably needed for FTP access)
Antivirus                        tcp 1024-5000     Bidirectional   AV Server

The RPC protocols (like on 135 & 111), negotiate the real ports used for data traffic
RPC Dynamic Assignment     1024-65535/tcp     Outbound      AD Servers
LVL 40

Expert Comment

ID: 17086411
BTW, "netstat -an" will tell you what ports are opened on what protocol.....
for 135 & 88

Author Comment

ID: 17092684
Thanks Noci...  I learned alot from reading this and going over my notes very carefully.  I checked the syslog for 135 and 88.  It is strange, the M$ documentation says it needs tcp and UDP.  When I examine syslog, it appears only tcp is used.  I have a few other questions, but I'll give you two your points and ask another question when I have time to regroup specific questions.  I guess the best resource for checking how traffic flows is the RFC's.  That will now be my new tool.


Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question