TCP/IP Packet Filtering

Ports to block:

• Filter connections to all privileged port (less than 1024) and explicitly allow connection of desired services such as SMTP.
• Filter connections to the X server (ports 6000-600X). If you need to allow remote connections to the X server use a secure forwarding scheme such as SSH.
• Filter connections to OpenWindows (port 2000).
• Filter connections to NFSD (port 2049).
• Make sure you filter the correct udp and tcp port. You by mistake only filter one or the other instead of both for a service that offers both udp and tcp based connections.

Ports to allow:

• Only allow connections to ports and hosts that are providing a service to the outside world such as the mail hub (port 25) or the DNS server (tcp and udp port 53).

IP packets to drop:

• Drop all packets with source or destination address of 127.0.0.1.
• Drop all packets with source or destination address of 0.0.0.0.
• Drop all packets with a private IP address such as 10.*.*.*, 172.16-31.*.*, and 192.168.*.*.
• Stop all packets with internal source address from passing inward.
• Stop all packets with external source addresses from passing outward.
• Stop all packets with external destination addresses from passing inward.
• Stop all packets with internal destination addresses from passing outward.
• Drop all source routed packets.