Firewall Rulesets 101 - directionality.

Posted on 2006-07-11
Last Modified: 2013-11-16
I wanted to get someone with the benefit of more experience on a few things.  Assume a stateful firewall.  I'm trying to determine the direction that rulesets should be created for a few types of services.  One of the things that confuses me is that each protocol has both tcp and udp.  From what I understand, if it is TCP, a stateful firewall will create and inbound connection for that state.  A stateless firewall will not.  UDP, not paying attention to state, will require inbound connectivity for UDP responses?  That seems wrong to me though.  Any rules of thumb that you can mention would be greatly appreciated.  I filled in the information I was fairly sure of.  Any help is appreciated.

RPC Endpoint Mapper        135/tcp              Outbound       AD Servers
RPC Endpoint Mapper        135/udp                                AD Servers
NetBIOS Name                   137/tcp                 Outbound       AD Servers
NetBIOS Name                   137/udp                Outbound      AD Servers
NetBIOS Datagram         138/udp            AD Servers
NetBIOS Session                    139/tcp               AD Servers
RPC Dynamic Assignment      1024-65535/tcp      Outbound      AD Servers
SMB over IP                      445/tcp                   Outbound         Anywhere we need to get to shares
SMB over IP                      445/udp                  Outbound        Anywhere we need to get to shares
LDAP                                 389/tcp              Outbound      AD Servers
LDAP Ping                       389/udp           Outbound         AD Servers
LDAP over SSL                    636/tcp                 Outbound       AD Servers
GC LDAP                               3268/tcp                             AD Servers
GC LDAP over SSL          3269/tcp                                 AD Servers
Kerberos                       88/tcp                                       AD Servers
Kerberos                       88/udp                                      AD Servers
DNS                                 53/tcp                                 AD DNS Servers
DNS                                 53/udp                                AD DNS Servers
NTP                                 123/tcp                                NTP Server
NTP                                 123/udp                               NTP Server
ICMP                                                           Inbound                  
Antivirus                         tcp 1024-5000     Bidirectional   AV Server
SSH                                 tcp/22                Outbound      Anywhere we may need
HTTP                                80/tcp               Outbound      Internet
HTTPS                               443/tcp             Outbound            Internet
SMB (Linux)                                             Outbound      Internet
ISAKMP                               500/tcp              Outbound      
ISAKMP                               500/udp            
POP      110/tcp                                                                         Email Server
POP      110/udp                                                                         Email Server
SMTP      25/tcp                                                                        Email Server
SMTP      25/udp            
tn3270      246/tcp                                                                        Mainframe
tn3270      246/udp                                                                      
Question by:awakenings
  • 2
  • 2
LVL 79

Assisted Solution

lrmoore earned 200 total points
ID: 17083105
Most of the protocols, although they have both TCP and UDP ports only use one or the other. Example:
ISAKMP = UDP/500 always
POP3 = TCP/110 always
SMTP = TCP/25 always
DNS = UDP/53 almost always - few dns features require tcp
HTTP = TCP/80 always

Outbound rule sets are configured to block certain traffic from leaving the network, like you don't want Netbios stuff leaking out..
Inbound rule sets are configured to allow specifiec traffic (www, ftp, email, etc) inbound that is not in response to internal hosts' requests - or unsolicited traffic
SPI is in the middle. outbound traffic that requires a response creates an entry in the state table. When a response comes back that matches up with the outbound request, then that response is allowed back in. The state table can handle both TCP and UDP, but some firewalls do a better job than others at maintaining the UDP state simply because it is by definition a "stateless" protocol. That doesn't mean that the firewall can't keep a table of an inside host sending a dns request to an external host and allow the expected reply..


Author Comment

ID: 17084211

    Thanks, that does clear up a few things.  The DNS we are using the encrypted AD DNS so we do have TCP in our DNS entries.  The outbound was the permitted traffic I would like to have as there is an implicit deny all on ourfirewall.
    It is confusing looking at the port list as they do list both TCP and UDP, but they don't mention standards.
    What do you mean by SPI?  I didn't realize it was possible to maintain true state in UDP due to the connectionless nature.  It seems, and I may be wrong, that it would have to be a pseudo statefulness for UDP - just assuming the UDP traffic is acceptable due to IP address and possibly the port something similar.
    So, to round up, is there a good firewall rule set sight for looking up some of this information?  I still have questions about a few of the above.  If you can copy, past, and make corrections, that would be great.  I'm still looking up ports and such.

Thanks for everything!
LVL 40

Accepted Solution

noci earned 300 total points
ID: 17086405
There has been an administrative goofup in the past. The services files didn't state UDP or TCP just a port number.
And some use both like DNS. So officially 23/tcp and 23/udp have been handed out to the telnet designers,
only 23/tcp is used, but officially also 23/UDP had been handed out... thats why the assigned numbers
has both mentioned in the list.
This was changed later (See ssh 22/tcp).

Many protocols use either TCP or UDP. It doesn't make send to allow UDP 80 as HTTP because there are no
UDP 80 webservers.
IF you want to make sure lookup the RFC for a particular protocol. That will probably tell it exactly.

Not realy sure, I thought only TCP was used...
RPC Endpoint Mapper       135/tcp             Outbound       AD Servers
RPC Endpoint Mapper       135/udp                              AD Servers
Kerberos                      88/tcp                                     AD Servers
Kerberos                      88/udp                                    AD Servers

As stated in line...
NetBIOS Name                  137/udp               Outbound     AD Servers
NetBIOS Datagram        138/udp          AD Servers
NetBIOS Session                   139/tcp             AD Servers
Netbios Session (like 139 over SSL)                      445/tcp                  Outbound        Anywhere we need to get to shares
LDAP                                389/tcp             Outbound      AD Servers
LDAP Ping                      389/udp          Outbound        AD Servers
LDAP over SSL                   636/tcp                Outbound      AD Servers
GC LDAP                              3268/tcp                           AD Servers
GC LDAP over SSL         3269/tcp                               AD Servers
DNS                                53/tcp                               AD DNS Servers        ; used for transfer
DNS                                53/udp                              AD DNS Servers        ; used for queries
NTP                                123/udp                             NTP Server
SSH                                tcp/22               Outbound     Anywhere we may need
HTTP                               80/tcp              Outbound     Internet
HTTPS                              443/tcp            Outbound           Internet
ISAKMP                              500/udp          
POP     110/tcp                                                                       Email Server
SMTP     25/tcp                                                                      Email Server
tn3270     246/tcp                                                                      Mainframe

The following is a collection of protocols:
SMB (Linux)                                           Outbound     Internet
137, 138/UDP
139, 445/TCP
And you generaly don't want them on or from the internet....

The following are not TCP or UDP portnumbers but belong to: /etc/protocols
like UDP, TCP and ICMP themselves

ICMP 1       has no concept of ports
UDP 17      uses ports to differentiate services
TCP 6        uses ports to differentiate services
ESP 50       has no concept of ports, IPSEC VPN Tunnel
AH      51   has no concept of ports, IPSEC AUTHENTICATION (deprecated)

State full inspection will help with analyzing FTP and RPC like protocols and auto-generate rules needed
after negotiation and don't need rules like the broad openings like these. The RPC Dynamic will also allow
the GC LDAP (& SSL) to do outbound.

This doesn't make sense.... (protocol wise, probably needed for FTP access)
Antivirus                        tcp 1024-5000     Bidirectional   AV Server

The RPC protocols (like on 135 & 111), negotiate the real ports used for data traffic
RPC Dynamic Assignment     1024-65535/tcp     Outbound      AD Servers
LVL 40

Expert Comment

ID: 17086411
BTW, "netstat -an" will tell you what ports are opened on what protocol.....
for 135 & 88

Author Comment

ID: 17092684
Thanks Noci...  I learned alot from reading this and going over my notes very carefully.  I checked the syslog for 135 and 88.  It is strange, the M$ documentation says it needs tcp and UDP.  When I examine syslog, it appears only tcp is used.  I have a few other questions, but I'll give you two your points and ask another question when I have time to regroup specific questions.  I guess the best resource for checking how traffic flows is the RFC's.  That will now be my new tool.


Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Split tunnel and locally reroute the traffic 3 37
Need Advise - System / Network Security 4 56
Sonicwall Traffic 17 92
Palo Alto Networks Global Protect 2 121
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question