Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Information > printerserver and firewall

Reply
Thread Tools

printerserver and firewall

 
 
alexander rickert
Guest
Posts: n/a
 
      01-15-2005
Hello

I'm experimenting with firewalls these days and printerservers.
I use the Sygate firewall and it blocks more or less everything.

I enabled the networkneighbourhood thing, but still I have problems with
the network between the computers. He doesn't ask to enable anything for
the network, but when i turn off Sygate, it works all perfectly.

Does someone know how to solve this?

My second problem is the printer. I have Win 2000 on that machine and
the HP printer has a paralell cable (no usb available).
When I try to install or even search the printer with the other
computers, it simply says that there is no printer with that name or
adress.

Whats goining on here?

If someone could help me out , I would be very very hapy.

Greets lex

 
Reply With Quote
 
 
 
 
Michael Hearne
Guest
Posts: n/a
 
      01-19-2005
alexander rickert wrote:

> Hello
>
> I'm experimenting with firewalls these days and printerservers.
> I use the Sygate firewall and it blocks more or less everything.
>
> I enabled the networkneighbourhood thing, but still I have problems with
> the network between the computers. He doesn't ask to enable anything for
> the network, but when i turn off Sygate, it works all perfectly.
>
> Does someone know how to solve this?
>
> My second problem is the printer. I have Win 2000 on that machine and
> the HP printer has a paralell cable (no usb available).
> When I try to install or even search the printer with the other
> computers, it simply says that there is no printer with that name or
> adress.
>
> Whats goining on here?
>
> If someone could help me out , I would be very very happy.
>
> Greets lex


When setting up a firewall, your allowed ports affect not only Internet
traffic, but your internal network as well. At a minimum, you probably want
http (port 80), ftp (port 21) and if you're using tcp over netbios, you'll
need port 139 (local network only). For ssh, timeserver, and printer ports,
you'll need others.

Please see:

For a complete list:
http://www.iana.org/assignments/port-numbers

For a list of common ports:
http://www.webopedia.com/quick_ref/portnumbers.asp

For Windows 2000:
http://go.microsoft.com/fwlink/?LinkId=21312

Michael

 
Reply With Quote
 
 
 
 
Duane Arnold
Guest
Posts: n/a
 
      01-20-2005
Michael Hearne <(E-Mail Removed)> wrote in
news:lrCHd.1008$(E-Mail Removed) nk.net:

> alexander rickert wrote:
>
>> Hello
>>
>> I'm experimenting with firewalls these days and printerservers.
>> I use the Sygate firewall and it blocks more or less everything.
>>
>> I enabled the networkneighbourhood thing, but still I have problems
>> with the network between the computers. He doesn't ask to enable
>> anything for the network, but when i turn off Sygate, it works all
>> perfectly.
>>
>> Does someone know how to solve this?
>>
>> My second problem is the printer. I have Win 2000 on that machine and
>> the HP printer has a paralell cable (no usb available).
>> When I try to install or even search the printer with the other
>> computers, it simply says that there is no printer with that name or
>> adress.
>>
>> Whats goining on here?
>>
>> If someone could help me out , I would be very very happy.
>>
>> Greets lex

>
> When setting up a firewall, your allowed ports affect not only
> Internet traffic, but your internal network as well. At a minimum, you
> probably want http (port 80), ftp (port 21) and if you're using tcp
> over netbios, you'll need port 139 (local network only). For ssh,
> timeserver, and printer ports, you'll need others.
>

If you don't have Web services running on a machine listening on port 80
or 21, then why would one open those ports on the FW? Those ports should
remain closed. The FW will open port 80 due to a program such as a
browser running on the machine soliciting HTTP traffic on 80 from an IP.
It will block or close the port to all traffic on port 80 that was not
solicited. You set rules to open port 80 or (21 if something is listening
on 21) on the FW, then unsolicited traffic on the port will reach the
machine and the machine is open to attack.

Duane

 
Reply With Quote
 
Michael Hearne
Guest
Posts: n/a
 
      01-20-2005
Duane Arnold wrote:

> Michael Hearne <(E-Mail Removed)> wrote in
> news:lrCHd.1008$(E-Mail Removed) nk.net:
>
>> alexander rickert wrote:
>>
>>> Hello
>>>
>>> I'm experimenting with firewalls these days and printerservers.
>>> I use the Sygate firewall and it blocks more or less everything.
>>>
>>> I enabled the networkneighbourhood thing, but still I have problems
>>> with the network between the computers. He doesn't ask to enable
>>> anything for the network, but when i turn off Sygate, it works all
>>> perfectly.
>>>
>>> Does someone know how to solve this?
>>>
>>> My second problem is the printer. I have Win 2000 on that machine and
>>> the HP printer has a parallel cable (no usb available).
>>> When I try to install or even search the printer with the other
>>> computers, it simply says that there is no printer with that name or
>>> address.
>>>
>>> Whats going on here?
>>>
>>> If someone could help me out , I would be very very happy.
>>>
>>> Greets lex

>>
>> When setting up a firewall, your allowed ports affect not only
>> Internet traffic, but your internal network as well. At a minimum, you
>> probably want http (port 80), ftp (port 21) and if you're using tcp
>> over netbios, you'll need port 139 (local network only). For ssh,
>> timeserver, and printer ports, you'll need others.
>>

> If you don't have Web services running on a machine listening on port 80
> or 21, then why would one open those ports on the FW? Those ports should
> remain closed. The FW will open port 80 due to a program such as a
> browser running on the machine soliciting HTTP traffic on 80 from an IP.
> It will block or close the port to all traffic on port 80 that was not
> solicited. You set rules to open port 80 or (21 if something is listening
> on 21) on the FW, then unsolicited traffic on the port will reach the
> machine and the machine is open to attack.
>
> Duane


You have to have port 80 open to connect to your ISP. True, some use 8080 as
well, but it is unofficial. If you close *all* your ports, then you are
disconnected from the Internet!

I use shorewall, and the ports I have open to the Internet are: 21 (ftp), 80
(http), 123 (ntp) and 587 (msa). That last one is because my ISP blocks
port 25 and I have to use an alternate port for a paid email account. Every
bit of it is routed through squid, a caching proxy server, on port 3128.

What I have blocked, are: 25 (smtp), 109 (pop-2), 110 (pop-3), 119 (news)
and 139 (netbios) and all the rest under port 1024. Port 139 (Netbios) is
open to the internal network, but blocked from the Internet. I have to have
it because I have mixed Linux and Windows machines on my network.

The mail and news ports are blocked to prevent my machines from being
zombied by spammers. The mail and news are routed through the ISP via port
80 - everything except telnet, ssh and other special stuff is.

I have about two break-in attempts per month - and they are logged! But
those attempts are stopped at the MTA (my mail handler) which is Postfix.
If you can't login you are stopped at the door. IOW, there is no "Guest"
account on this network.

Michael

 
Reply With Quote
 
Michael Hearne
Guest
Posts: n/a
 
      01-20-2005
Duane Arnold wrote:

> Michael Hearne <(E-Mail Removed)> wrote in
> news:LtGHd.1362$(E-Mail Removed) ink.net:
>
>> Duane Arnold wrote:
>>
>>> Michael Hearne <(E-Mail Removed)> wrote in
>>> news:lrCHd.1008$(E-Mail Removed) nk.net:
>>>
>>>> alexander rickert wrote:
>>>>
>>>>> Hello
>>>>>
>>>>> I'm experimenting with firewalls these days and printerservers.
>>>>> I use the Sygate firewall and it blocks more or less everything.
>>>>>
>>>>> I enabled the networkneighbourhood thing, but still I have problems
>>>>> with the network between the computers. He doesn't ask to enable
>>>>> anything for the network, but when i turn off Sygate, it works all
>>>>> perfectly.
>>>>>
>>>>> Does someone know how to solve this?
>>>>>
>>>>> My second problem is the printer. I have Win 2000 on that machine
>>>>> and the HP printer has a parallel cable (no usb available).
>>>>> When I try to install or even search the printer with the other
>>>>> computers, it simply says that there is no printer with that name
>>>>> or address.
>>>>>
>>>>> Whats going on here?
>>>>>
>>>>> If someone could help me out , I would be very very happy.
>>>>>
>>>>> Greets lex
>>>>
>>>> When setting up a firewall, your allowed ports affect not only
>>>> Internet traffic, but your internal network as well. At a minimum,
>>>> you probably want http (port 80), ftp (port 21) and if you're using
>>>> tcp over netbios, you'll need port 139 (local network only). For
>>>> ssh, timeserver, and printer ports, you'll need others.
>>>>
>>> If you don't have Web services running on a machine listening on port
>>> 80 or 21, then why would one open those ports on the FW? Those ports
>>> should remain closed. The FW will open port 80 due to a program such
>>> as a browser running on the machine soliciting HTTP traffic on 80
>>> from an IP. It will block or close the port to all traffic on port 80
>>> that was not solicited. You set rules to open port 80 or (21 if
>>> something is listening on 21) on the FW, then unsolicited traffic on
>>> the port will reach the machine and the machine is open to attack.
>>>
>>> Duane

>>
>> You have to have port 80 open to connect to your ISP. True, some use
>> 8080 as well, but it is unofficial. If you close *all* your ports,
>> then you are disconnected from the Internet!

>
> No you don't have to have port 80 open and it is not true on no software
> FW, NAT router or FW appliance that I have used. A host based FW, the
> firmware in a NAT router and a FW appliances will allow inbound traffic on
> a port (open the port) if software on the machine behind them sends
> outbound traffic to an IP. That's called a solicitation for traffic. If
> inbound traffic is not solicited (no program running behind the host based
> FW, NAT router or FW appliance) makes a solicitation for inbound traffic
> (unsolicited) inbound traffic, then they will reject the traffic. All
> ports
> are closed by default on them. Unsolicited inbound traffic will come in
> on a port if rules have been set on the host based FW, NAT router or FW
> appliance to allow the unsolicited inbound traffic, otherwise, the ports
> are closed by default and inbound traffic is rejected. Or a port will be
> open to inbound traffic on a FW or NAT router if a solicitation for
> inbound traffic is made to an IP due to outbound traffic being sent to the
> IP.
>
> Unsolicited traffic coming inbound on a port would be like PORT 80 HTTP
> because you have a WEB server like IIS (Web services running) on the
> machine listening on port 80. In this case on a NAT router or FW
> appliance, one would port forward port 80 (open the port) and forward the
> traffic to the machine/IP that had IIS running or set rules on the FW
> appliance to forward the traffic to the IP/machine. If it was a host based
> FW, the rules would have to be set to allow unsolicited inbound traffic in
> on port 80, otherwise, no one would be able to contact IIS running on the
> machine at a specified private or LAN side IP. In the mean time, it
> business as usual for any other machine that's expecting traffic on port
> 80 behind the NAT router or FW appliance that's making a solicitation for
> traffic using a browser.
>
> In the case of browser such as IE, Firefox and other such program that
> contact the Internet and they make a solicitation for inbound traffic,
> because they sent outbound traffic (they initiated the contact or
> solicited the inbound) to an ISP, WEB site, etc and they are doing it from
> behind the host based FW, NAT router or FW appliance, then each one of
> them will open the appropriate inbound port and allow the inbound and
> reject any IP on the
> inbound that has not had a solicitation made to it on the outbound.
> That's the normal function of host based FW, NAT router or FW appliance
> when all ports are closed by default.
>
>>
>> I use shorewall, and the ports I have open to the Internet are: 21
>> (ftp), 80 (http), 123 (ntp) and 587 (msa). That last one is because my
>> ISP blocks port 25 and I have to use an alternate port for a paid
>> email account. Every bit of it is routed through squid, a caching
>> proxy server, on port 3128.

>
> I am not familiar with Shorewall so I don't know anything about. However,
> I have used IPSec which is on the Win 2k, XP, and Win 2K O/S(s) and yes
> when it is active on the machine and works much like a FW, I must set
> rules to open HTTP, SMTP, POP3, etc even behind the Watchguard FW
> appliance, Linksys router or BlackIce I was using, otherwise, traffic on
> the ports inbound would not reach the machine and the program listening
> for the inbound.
>
> http://www.analogx.com/contents/articles/ipsec.htm
>
>>
>> What I have blocked, are: 25 (smtp), 109 (pop-2), 110 (pop-3), 119
>> (news) and 139 (netbios) and all the rest under port 1024. Port 139
>> (Netbios) is open to the internal network, but blocked from the
>> Internet. I have to have it because I have mixed Linux and Windows
>> machines on my network.

>
> Yes, if you're running host based FW(s) on the machines then you'll have
> to open the ports on the FW(s) to the LAN/private side IP(s) for the
> network traffic between machines. That's what I had to do with IPsec and
> BalckIce was open the Networking ports on the LAN side behind the WG or
> the Linksys. And I ahw Windows and Linux machies on my network too.
>
>>
>> The mail and news ports are blocked to prevent my machines from being
>> zombied by spammers. The mail and news are routed through the ISP via
>> port 80 - everything except telnet, ssh and other special stuff is.
>>
>> I have about two break-in attempts per month - and they are logged!
>> But those attempts are stopped at the MTA (my mail handler) which is
>> Postfix. If you can't login you are stopped at the door. IOW, there is
>> no "Guest" account on this network.

>
> I don't have any break-in because the ports are closed by default on the
> WG and when I do open the FTP ports on the WG, the O/S, files system, IIS
> etc are secured and harden to attack. I have not opened the ports in a
> long long time.
>
> Duane


I'm too tired to go on tonight, so I'll print this out and continue later.
In the meantime here is a quick sketch of my rules:

################################################## ###################->
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
RATE USER/
# PORT PORT(S) DEST
LIMIT GROUP
REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp www
REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp www
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


Sorry, I didn't have time to format it for you.

Later,

Michael


 
Reply With Quote
 
kier
Guest
Posts: n/a
 
      01-20-2005
Michael Hearne wrote:

> Duane Arnold wrote:


>> I don't have any break-in because the ports are closed by default on
>> the WG and when I do open the FTP ports on the WG, the O/S, files
>> system, IIS etc are secured and harden to attack. I have not opened
>> the ports in a long long time.
>>
>> Duane

>
> I'm too tired to go on tonight, so I'll print this out and continue
> later. In the meantime here is a quick sketch of my rules:
>
> ################################################## ###################->
> #ACTION SOURCE DEST PROTO DEST SOURCE
> ORIGINAL RATE USER/
> # PORT PORT(S)
> DEST LIMIT GROUP
> REDIRECT loc 3128 tcp www -
> ACCEPT fw net tcp www
> REDIRECT loc 3128 tcp www -
> ACCEPT fw net tcp www
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> Sorry, I didn't have time to format it for you.


Duaneypoo can't read. And if the **** could, his boggle eye would **** the
formatting anyway.




--
If this post did not come from me then it came from a post-editing, lying
****boy sockpuppet.

 
Reply With Quote
 
kier
Guest
Posts: n/a
 
      01-20-2005
On Thu, 20 Jan 2005 21:08:32 +1100, a lying forger wrote:

> Michael Hearne wrote:
>
>> Duane Arnold wrote:

>
>>> I don't have any break-in because the ports are closed by default on
>>> the WG and when I do open the FTP ports on the WG, the O/S, files
>>> system, IIS etc are secured and harden to attack. I have not opened
>>> the ports in a long long time.
>>>
>>> Duane

>>
>> I'm too tired to go on tonight, so I'll print this out and continue
>> later. In the meantime here is a quick sketch of my rules:
>>
>> ################################################## ###################->
>> #ACTION SOURCE DEST PROTO DEST SOURCE
>> ORIGINAL RATE USER/
>> # PORT PORT(S)
>> DEST LIMIT GROUP
>> REDIRECT loc 3128 tcp www -
>> ACCEPT fw net tcp www
>> REDIRECT loc 3128 tcp www -
>> ACCEPT fw net tcp www
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>>
>>
>> Sorry, I didn't have time to format it for you.

>
> Duaneypoo can't read. And if the **** could, his boggle eye would **** the
> formatting anyway.


<yawn> How long are you going to play your silly games, boyo, it's getting
really boring.

--
Kier



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Software Firewall Necessary And/Or Recommended If Modem/Router Consists of Firewall? Internet Highway Traveler Computer Support 5 11-14-2009 04:52 AM
compatibility windows XP firewall and Norton systemworks firewall Guy Pzt Computer Support 0 10-01-2005 08:58 AM
Can I run sygate firewall and Nortan Firewall simultaneously? Sash Computer Support 6 01-14-2005 05:33 PM
Connecting to a PIX firewall using cisco VPM client though a Linksys WAG54G with eth firewall enabled Phil Cisco 1 12-11-2004 12:30 PM
Firewall and Norton Firewall Mark Wilson Computer Support 0 11-05-2003 06:35 AM



Advertisments