printerserver and firewall

Discussion in 'Computer Information' started by alexander rickert, Jan 15, 2005.

  1. Hello

    I'm experimenting with firewalls these days and printerservers.
    I use the Sygate firewall and it blocks more or less everything.

    I enabled the networkneighbourhood thing, but still I have problems with
    the network between the computers. He doesn't ask to enable anything for
    the network, but when i turn off Sygate, it works all perfectly.

    Does someone know how to solve this?

    My second problem is the printer. I have Win 2000 on that machine and
    the HP printer has a paralell cable (no usb available).
    When I try to install or even search the printer with the other
    computers, it simply says that there is no printer with that name or
    adress.

    Whats goining on here?

    If someone could help me out , I would be very very hapy.

    Greets lex
    alexander rickert, Jan 15, 2005
    #1
    1. Advertising

  2. alexander rickert wrote:

    > Hello
    >
    > I'm experimenting with firewalls these days and printerservers.
    > I use the Sygate firewall and it blocks more or less everything.
    >
    > I enabled the networkneighbourhood thing, but still I have problems with
    > the network between the computers. He doesn't ask to enable anything for
    > the network, but when i turn off Sygate, it works all perfectly.
    >
    > Does someone know how to solve this?
    >
    > My second problem is the printer. I have Win 2000 on that machine and
    > the HP printer has a paralell cable (no usb available).
    > When I try to install or even search the printer with the other
    > computers, it simply says that there is no printer with that name or
    > adress.
    >
    > Whats goining on here?
    >
    > If someone could help me out , I would be very very happy.
    >
    > Greets lex


    When setting up a firewall, your allowed ports affect not only Internet
    traffic, but your internal network as well. At a minimum, you probably want
    http (port 80), ftp (port 21) and if you're using tcp over netbios, you'll
    need port 139 (local network only). For ssh, timeserver, and printer ports,
    you'll need others.

    Please see:

    For a complete list:
    http://www.iana.org/assignments/port-numbers

    For a list of common ports:
    http://www.webopedia.com/quick_ref/portnumbers.asp

    For Windows 2000:
    http://go.microsoft.com/fwlink/?LinkId=21312

    Michael
    Michael Hearne, Jan 19, 2005
    #2
    1. Advertising

  3. alexander rickert

    Duane Arnold Guest

    Michael Hearne <> wrote in
    news:lrCHd.1008$:

    > alexander rickert wrote:
    >
    >> Hello
    >>
    >> I'm experimenting with firewalls these days and printerservers.
    >> I use the Sygate firewall and it blocks more or less everything.
    >>
    >> I enabled the networkneighbourhood thing, but still I have problems
    >> with the network between the computers. He doesn't ask to enable
    >> anything for the network, but when i turn off Sygate, it works all
    >> perfectly.
    >>
    >> Does someone know how to solve this?
    >>
    >> My second problem is the printer. I have Win 2000 on that machine and
    >> the HP printer has a paralell cable (no usb available).
    >> When I try to install or even search the printer with the other
    >> computers, it simply says that there is no printer with that name or
    >> adress.
    >>
    >> Whats goining on here?
    >>
    >> If someone could help me out , I would be very very happy.
    >>
    >> Greets lex

    >
    > When setting up a firewall, your allowed ports affect not only
    > Internet traffic, but your internal network as well. At a minimum, you
    > probably want http (port 80), ftp (port 21) and if you're using tcp
    > over netbios, you'll need port 139 (local network only). For ssh,
    > timeserver, and printer ports, you'll need others.
    >

    If you don't have Web services running on a machine listening on port 80
    or 21, then why would one open those ports on the FW? Those ports should
    remain closed. The FW will open port 80 due to a program such as a
    browser running on the machine soliciting HTTP traffic on 80 from an IP.
    It will block or close the port to all traffic on port 80 that was not
    solicited. You set rules to open port 80 or (21 if something is listening
    on 21) on the FW, then unsolicited traffic on the port will reach the
    machine and the machine is open to attack.

    Duane :)
    Duane Arnold, Jan 20, 2005
    #3
  4. Duane Arnold wrote:

    > Michael Hearne <> wrote in
    > news:lrCHd.1008$:
    >
    >> alexander rickert wrote:
    >>
    >>> Hello
    >>>
    >>> I'm experimenting with firewalls these days and printerservers.
    >>> I use the Sygate firewall and it blocks more or less everything.
    >>>
    >>> I enabled the networkneighbourhood thing, but still I have problems
    >>> with the network between the computers. He doesn't ask to enable
    >>> anything for the network, but when i turn off Sygate, it works all
    >>> perfectly.
    >>>
    >>> Does someone know how to solve this?
    >>>
    >>> My second problem is the printer. I have Win 2000 on that machine and
    >>> the HP printer has a parallel cable (no usb available).
    >>> When I try to install or even search the printer with the other
    >>> computers, it simply says that there is no printer with that name or
    >>> address.
    >>>
    >>> Whats going on here?
    >>>
    >>> If someone could help me out , I would be very very happy.
    >>>
    >>> Greets lex

    >>
    >> When setting up a firewall, your allowed ports affect not only
    >> Internet traffic, but your internal network as well. At a minimum, you
    >> probably want http (port 80), ftp (port 21) and if you're using tcp
    >> over netbios, you'll need port 139 (local network only). For ssh,
    >> timeserver, and printer ports, you'll need others.
    >>

    > If you don't have Web services running on a machine listening on port 80
    > or 21, then why would one open those ports on the FW? Those ports should
    > remain closed. The FW will open port 80 due to a program such as a
    > browser running on the machine soliciting HTTP traffic on 80 from an IP.
    > It will block or close the port to all traffic on port 80 that was not
    > solicited. You set rules to open port 80 or (21 if something is listening
    > on 21) on the FW, then unsolicited traffic on the port will reach the
    > machine and the machine is open to attack.
    >
    > Duane :)


    You have to have port 80 open to connect to your ISP. True, some use 8080 as
    well, but it is unofficial. If you close *all* your ports, then you are
    disconnected from the Internet!

    I use shorewall, and the ports I have open to the Internet are: 21 (ftp), 80
    (http), 123 (ntp) and 587 (msa). That last one is because my ISP blocks
    port 25 and I have to use an alternate port for a paid email account. Every
    bit of it is routed through squid, a caching proxy server, on port 3128.

    What I have blocked, are: 25 (smtp), 109 (pop-2), 110 (pop-3), 119 (news)
    and 139 (netbios) and all the rest under port 1024. Port 139 (Netbios) is
    open to the internal network, but blocked from the Internet. I have to have
    it because I have mixed Linux and Windows machines on my network.

    The mail and news ports are blocked to prevent my machines from being
    zombied by spammers. The mail and news are routed through the ISP via port
    80 - everything except telnet, ssh and other special stuff is.

    I have about two break-in attempts per month - and they are logged! But
    those attempts are stopped at the MTA (my mail handler) which is Postfix.
    If you can't login you are stopped at the door. IOW, there is no "Guest"
    account on this network.

    Michael
    Michael Hearne, Jan 20, 2005
    #4
  5. Duane Arnold wrote:

    > Michael Hearne <> wrote in
    > news:LtGHd.1362$:
    >
    >> Duane Arnold wrote:
    >>
    >>> Michael Hearne <> wrote in
    >>> news:lrCHd.1008$:
    >>>
    >>>> alexander rickert wrote:
    >>>>
    >>>>> Hello
    >>>>>
    >>>>> I'm experimenting with firewalls these days and printerservers.
    >>>>> I use the Sygate firewall and it blocks more or less everything.
    >>>>>
    >>>>> I enabled the networkneighbourhood thing, but still I have problems
    >>>>> with the network between the computers. He doesn't ask to enable
    >>>>> anything for the network, but when i turn off Sygate, it works all
    >>>>> perfectly.
    >>>>>
    >>>>> Does someone know how to solve this?
    >>>>>
    >>>>> My second problem is the printer. I have Win 2000 on that machine
    >>>>> and the HP printer has a parallel cable (no usb available).
    >>>>> When I try to install or even search the printer with the other
    >>>>> computers, it simply says that there is no printer with that name
    >>>>> or address.
    >>>>>
    >>>>> Whats going on here?
    >>>>>
    >>>>> If someone could help me out , I would be very very happy.
    >>>>>
    >>>>> Greets lex
    >>>>
    >>>> When setting up a firewall, your allowed ports affect not only
    >>>> Internet traffic, but your internal network as well. At a minimum,
    >>>> you probably want http (port 80), ftp (port 21) and if you're using
    >>>> tcp over netbios, you'll need port 139 (local network only). For
    >>>> ssh, timeserver, and printer ports, you'll need others.
    >>>>
    >>> If you don't have Web services running on a machine listening on port
    >>> 80 or 21, then why would one open those ports on the FW? Those ports
    >>> should remain closed. The FW will open port 80 due to a program such
    >>> as a browser running on the machine soliciting HTTP traffic on 80
    >>> from an IP. It will block or close the port to all traffic on port 80
    >>> that was not solicited. You set rules to open port 80 or (21 if
    >>> something is listening on 21) on the FW, then unsolicited traffic on
    >>> the port will reach the machine and the machine is open to attack.
    >>>
    >>> Duane :)

    >>
    >> You have to have port 80 open to connect to your ISP. True, some use
    >> 8080 as well, but it is unofficial. If you close *all* your ports,
    >> then you are disconnected from the Internet!

    >
    > No you don't have to have port 80 open and it is not true on no software
    > FW, NAT router or FW appliance that I have used. A host based FW, the
    > firmware in a NAT router and a FW appliances will allow inbound traffic on
    > a port (open the port) if software on the machine behind them sends
    > outbound traffic to an IP. That's called a solicitation for traffic. If
    > inbound traffic is not solicited (no program running behind the host based
    > FW, NAT router or FW appliance) makes a solicitation for inbound traffic
    > (unsolicited) inbound traffic, then they will reject the traffic. All
    > ports
    > are closed by default on them. Unsolicited inbound traffic will come in
    > on a port if rules have been set on the host based FW, NAT router or FW
    > appliance to allow the unsolicited inbound traffic, otherwise, the ports
    > are closed by default and inbound traffic is rejected. Or a port will be
    > open to inbound traffic on a FW or NAT router if a solicitation for
    > inbound traffic is made to an IP due to outbound traffic being sent to the
    > IP.
    >
    > Unsolicited traffic coming inbound on a port would be like PORT 80 HTTP
    > because you have a WEB server like IIS (Web services running) on the
    > machine listening on port 80. In this case on a NAT router or FW
    > appliance, one would port forward port 80 (open the port) and forward the
    > traffic to the machine/IP that had IIS running or set rules on the FW
    > appliance to forward the traffic to the IP/machine. If it was a host based
    > FW, the rules would have to be set to allow unsolicited inbound traffic in
    > on port 80, otherwise, no one would be able to contact IIS running on the
    > machine at a specified private or LAN side IP. In the mean time, it
    > business as usual for any other machine that's expecting traffic on port
    > 80 behind the NAT router or FW appliance that's making a solicitation for
    > traffic using a browser.
    >
    > In the case of browser such as IE, Firefox and other such program that
    > contact the Internet and they make a solicitation for inbound traffic,
    > because they sent outbound traffic (they initiated the contact or
    > solicited the inbound) to an ISP, WEB site, etc and they are doing it from
    > behind the host based FW, NAT router or FW appliance, then each one of
    > them will open the appropriate inbound port and allow the inbound and
    > reject any IP on the
    > inbound that has not had a solicitation made to it on the outbound.
    > That's the normal function of host based FW, NAT router or FW appliance
    > when all ports are closed by default.
    >
    >>
    >> I use shorewall, and the ports I have open to the Internet are: 21
    >> (ftp), 80 (http), 123 (ntp) and 587 (msa). That last one is because my
    >> ISP blocks port 25 and I have to use an alternate port for a paid
    >> email account. Every bit of it is routed through squid, a caching
    >> proxy server, on port 3128.

    >
    > I am not familiar with Shorewall so I don't know anything about. However,
    > I have used IPSec which is on the Win 2k, XP, and Win 2K O/S(s) and yes
    > when it is active on the machine and works much like a FW, I must set
    > rules to open HTTP, SMTP, POP3, etc even behind the Watchguard FW
    > appliance, Linksys router or BlackIce I was using, otherwise, traffic on
    > the ports inbound would not reach the machine and the program listening
    > for the inbound.
    >
    > http://www.analogx.com/contents/articles/ipsec.htm
    >
    >>
    >> What I have blocked, are: 25 (smtp), 109 (pop-2), 110 (pop-3), 119
    >> (news) and 139 (netbios) and all the rest under port 1024. Port 139
    >> (Netbios) is open to the internal network, but blocked from the
    >> Internet. I have to have it because I have mixed Linux and Windows
    >> machines on my network.

    >
    > Yes, if you're running host based FW(s) on the machines then you'll have
    > to open the ports on the FW(s) to the LAN/private side IP(s) for the
    > network traffic between machines. That's what I had to do with IPsec and
    > BalckIce was open the Networking ports on the LAN side behind the WG or
    > the Linksys. And I ahw Windows and Linux machies on my network too. ;-)
    >
    >>
    >> The mail and news ports are blocked to prevent my machines from being
    >> zombied by spammers. The mail and news are routed through the ISP via
    >> port 80 - everything except telnet, ssh and other special stuff is.
    >>
    >> I have about two break-in attempts per month - and they are logged!
    >> But those attempts are stopped at the MTA (my mail handler) which is
    >> Postfix. If you can't login you are stopped at the door. IOW, there is
    >> no "Guest" account on this network.

    >
    > I don't have any break-in because the ports are closed by default on the
    > WG and when I do open the FTP ports on the WG, the O/S, files system, IIS
    > etc are secured and harden to attack. I have not opened the ports in a
    > long long time.
    >
    > Duane :)


    I'm too tired to go on tonight, so I'll print this out and continue later.
    In the meantime here is a quick sketch of my rules:

    #####################################################################->
    #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
    RATE USER/
    # PORT PORT(S) DEST
    LIMIT GROUP
    REDIRECT loc 3128 tcp www -
    ACCEPT fw net tcp www
    REDIRECT loc 3128 tcp www -
    ACCEPT fw net tcp www
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


    Sorry, I didn't have time to format it for you.

    Later,

    Michael
    Michael Hearne, Jan 20, 2005
    #5
  6. alexander rickert

    kier Guest

    Michael Hearne wrote:

    > Duane Arnold wrote:


    >> I don't have any break-in because the ports are closed by default on
    >> the WG and when I do open the FTP ports on the WG, the O/S, files
    >> system, IIS etc are secured and harden to attack. I have not opened
    >> the ports in a long long time.
    >>
    >> Duane :)

    >
    > I'm too tired to go on tonight, so I'll print this out and continue
    > later. In the meantime here is a quick sketch of my rules:
    >
    > #####################################################################->
    > #ACTION SOURCE DEST PROTO DEST SOURCE
    > ORIGINAL RATE USER/
    > # PORT PORT(S)
    > DEST LIMIT GROUP
    > REDIRECT loc 3128 tcp www -
    > ACCEPT fw net tcp www
    > REDIRECT loc 3128 tcp www -
    > ACCEPT fw net tcp www
    > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    >
    >
    > Sorry, I didn't have time to format it for you.


    Duaneypoo can't read. And if the **** could, his boggle eye would **** the
    formatting anyway.




    --
    If this post did not come from me then it came from a post-editing, lying
    fuckboy sockpuppet.
    kier, Jan 20, 2005
    #6
  7. alexander rickert

    kier Guest

    On Thu, 20 Jan 2005 21:08:32 +1100, a lying forger wrote:

    > Michael Hearne wrote:
    >
    >> Duane Arnold wrote:

    >
    >>> I don't have any break-in because the ports are closed by default on
    >>> the WG and when I do open the FTP ports on the WG, the O/S, files
    >>> system, IIS etc are secured and harden to attack. I have not opened
    >>> the ports in a long long time.
    >>>
    >>> Duane :)

    >>
    >> I'm too tired to go on tonight, so I'll print this out and continue
    >> later. In the meantime here is a quick sketch of my rules:
    >>
    >> #####################################################################->
    >> #ACTION SOURCE DEST PROTO DEST SOURCE
    >> ORIGINAL RATE USER/
    >> # PORT PORT(S)
    >> DEST LIMIT GROUP
    >> REDIRECT loc 3128 tcp www -
    >> ACCEPT fw net tcp www
    >> REDIRECT loc 3128 tcp www -
    >> ACCEPT fw net tcp www
    >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    >>
    >>
    >> Sorry, I didn't have time to format it for you.

    >
    > Duaneypoo can't read. And if the **** could, his boggle eye would **** the
    > formatting anyway.


    <yawn> How long are you going to play your silly games, boyo, it's getting
    really boring.

    --
    Kier
    kier, Jan 20, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,071
    Walter Roberson
    Dec 11, 2004
  2. Mark Wilson

    Firewall and Norton Firewall

    Mark Wilson, Nov 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    485
    Mark Wilson
    Nov 5, 2003
  3. Sash
    Replies:
    6
    Views:
    634
    Toolman Tim
    Jan 14, 2005
  4. Guy Pzt
    Replies:
    0
    Views:
    772
    Guy Pzt
    Oct 1, 2005
  5. Internet Highway Traveler
    Replies:
    5
    Views:
    1,945
    Internet Highway Traveler
    Nov 14, 2009
Loading...

Share This Page