J.P. Schwartz - Click to go home
Advanced Options
Custom Network Design
www.jpschwartz.com home About J.P. Schwartz IT Consulting Custom Network Design Services IT Consulting and Network Design Resources Contact J.P. Schwartz
Tech Tips ‹ back

Outbound Firewall Security

The default configuration on most firewall appliances will deny any connection attempts from the internet to your computers. To speed up installation the default on most firewalls will permit any connection attempts from your computers to the internet. This unfortunately allows any virus, spyware, or malware or spam program on your system to simply send whatever it likes out to the internet. Once the outbound connection is made, your firewall will allow all return traffic, including remote control of your system.

Configuring the Firewall
There are about 65 thousand ports that you can connect on. Most businesses and home users only need a handful. To configure the firewall, start by removing the default “permit any” rule and replace it with a “deny any” rule. This will stop all traffic going to the internet. Make sure the “deny any” rule is the last one at the bottom of the access list.

Now that we are secure, let’s make the internet connection usable again. For general web browsing we need to permit a few outbound ports. The basics are:

53 TCP – This is for DNS, or name resolution, you will need it
53 UDP – This is also for DNS
80 TCP – This allows web sites
443 TCP – This allows secure web sites
21 TCP – This allows FTP sites which are also quite common

E-Mail Ports
If you use web based email, you are done. If you have a hosted email service, perhaps you get email from your ISP, you will want to find out what the addresses of their mail servers are. Then add these ports to get email working:

25 TCP – This is so you can send email, only allow it TO your hosted mail server
110 TCP – This is so you can receive email, only allow TO to your hosted mail server

If you have your own mail server at your company, you will need to allow only one port for email to work properly.

25 TCP – This is so you can send email, only allow it FROM your internal mail server

Additional Ports
Ping or ICMP traffic is not required, but it is used so often in troubleshooting that it is worth allowing out of the network as well. This is a type of traffic, so it does not have a port number associated. Most firewalls make this easy, often it is just a check box.

That’s it for 9 out of 10 companies. If you have other applications, such as games, VoIP, or remotely connect directly to computers on the internet, you may have a few other ports to enable. You can usually find out the required ports with a quick internet search, or just contact the vendor.

For additional information or support please contact us at 303-482-1242.
Home | About | Services | Resources | Contact
Denver Computer Consulting | Custom Network Design | Network Services | Security Services | Server/Workstation Services
J.P. Schwartz, Inc. | PO Box 270429 | Louisville, Colorado 80027
303 482 1242 | 303 317 8830 Fax
©Copyright 2007, J.P. Schwartz, Inc. | Terms & Policies | Sitemap
Design by Tool Studios®
 tell a friend