If you’re not using NetBIOS, and CFP is set to block those ports In/Out, I see no reason to not be blocking them at the router. AFAIK, you would not need them for anything, and if you’re not blocking them, the presumption is that you’re allowing them, which could be a potential weaknesss.
And yes, the router-to-firewall port relationship is the same.
LM
Thank you for the reply, LM.
Comodo Forum is the best.
Anytime and everytime. (:CLP) (:CLP) (:CLP) (:CLP) (:CLP) (:CLP) (:CLP) (:CLP) (:CLP) (:CLP)
Its almost a year since the last post on this thread.
My final conclusion is that DDos and the likes cannot be totally eliminated by any means.
However, in my most humble personal comment on this, thru my own limited experience is that I can minimize the threat to a certain extent.
Blocking all incoming for the following:
1- ICMP
2- UDP except from DNS (53)
3- TCP except from port 80
Blocking all outgoing for the following:
1- ICMP
2- UDP except to DNS (53)
3- TCP except to port 80
Comodo Protocol Analysis - ON
All of the above combined may stop unnoticed call-back and notification tranmissions. By applying these strict rules whenever I dont P2P, I have a (maybe) more secure surfing session. Just 3 rules.
Any other suggestions are most welcome!
Hey Daily,
For your Incoming rules, you should not need to Allow TCP/80. TCP is a stateful protocol, thus the need for content during browsing is covered without an explicit “In” rule. What that means is if you Allow TCP/80 out (for browsing the Net), your return content is a continuation of that connection, and thus Allowed.
However, for Out rules, unless you never use a secure connection or do email from a client (such as Thunderbird, etc), you might need to Allow more than just TCP/80 Out (443 for https, 25/110/995/465/587/etc for email), and unless you’ve hard-coded your system’s IP address, you may need to Allow UDP out from 68 (source port) to 67 (dest port), and then Allow UDP In from 67 to 68 - for DHCP lease renewal.
LM