IT Connect

Connecting You to Information Technology at the UW

Need Help?

Contact Us

Resources

Accessibility Accounts and Passwords Administrative Systems Appropriate Use Computer Labs Connecting Consulting Email Emergency Phones Questions & Ordering Printing Research Resources for IT Support Staff Safe and Secure Computing Skill Development Software and Hardware Teaching and Learning Teamwork Tools TV and Video Web Publishing

UW-IT

UW-IT Service Catalog UW-IT Billing

Firewall Baseline Rule Set

IT Connect > Connecting > Firewall > Baseline Rule Set

• On This Page
• Baseline
• Common Options

The Baseline Firewall Rule Set is a basic firewall rule set that can be a starting point for many customers. The baseline rules and one or two of the common options will cover most customers.

Baseline

• Block outbound "bad" ports - "bad" ports are defined as the ports primarily used for worm/virus propagation and other bad behavior. UW Technology defines "bad" ports as TCP and UDP ports 135, 136, 137, 138. 139, and 445.
• Allow all other outbound traffic
• Allow all traffic to and from UW Technology management networks
• Allow DHCP from UW Technology campus servers
• Block all other inbound traffic that isn't part of an established, stateful connection.

Some Common Options

• Allow outbound "bad" ports.
• "Open" addresses - Traffic to and from the "Open" hosts will not have any rules applied to them, and will require active host/server administration and possibly their own, customer-provided and administered firewall. This is somewhat similar to "DMZ" hosts, however, in this case, there is no protection between the "Open" hosts and the rest of the protected subnet.
• Nebula machines - Nebula machines will require additional ports to be open through the firewall.
• UW Windows Infrastructure - Customers using UWWI will need additional UW-IT servers to be open through the firewall ( UWWI page ).
• "Trusted" subnets - "Trusted" subnets will allow traffic to and from these subnets without applying any rules.
• Allow subnet services - Specific services can be allowed through the firewall, however they will be allowed to all devices on the subnet. Here are some common services:
  • ssh (22)
  • smtp (25)
  • ipsec (50, 51, 500)
  • dns (53)
  • http (80)
  • https (443)
  • kerberos (88)
  • ntp (123)
  • imap (143)
  • imaps (993)
  • ldap (389, 636)
  • dhcp (546, 547)
  • rtsp (554)
  • nntp (563)
  • l2tp (1701)
  • pptp (1723)
  • rdp (3389)
• Firewall logs - Raw firewall logs can be sent via syslog provided the customer has a syslog server set up and wants the data.

---

Reviewed 4/21/11 | News Feed | News Archive | About IT Connect