DSL Firewall

From SonicWiki
Jump to: navigation, search

Sonic.net's port firewalling features provide various levels of protection for Sonic.net-connected computers. By using one of the three levels of filtering, you can protect your systems from many common Internet threats. We suggest that you to select a level of protection which is appropriate for your type of Internet usage and your understanding of system security.

This document is intended to provide you with a brief overview of the firewalling options for your DSL service. These firewalling rule sets are not intended to be used as a replacement for full-featured hardware or software firewall solutions, but are designed to provide basic protection for specific ports and services. DSL customers can change their filtering preference level by clicking on the DSL Firewall Setup tool.

Customers are encouraged to turn on automatic system updates (Windows users, see Windows Update, Mac users, see Apple Service & Support), and to enable any system level firewalls available. We also recommend the use an anti-virus package which is automaticly updated. While most viruses and system exploits which arrive via email are blocked by Sonic.net's email server anti-virus solutions, they may not be blocked by firewalling, and up to date anti-virus software is an important last line of defense.

Option One: Complete Inbound TCP Firewalling

This firewall rule set prevents any inbound TCP connections from being established, protecting your system from most types of Internet attacks. It also blocks traffic to port 25 (SMTP email) from a customers circuit to any mail servers other than sonic.net maintained servers.

This filter set will allow most applications to function correctly while providing as much filtering as possible. This firewalling set is appropriate for users that use their computers primarily for E-mail and web browsing and would like the maximum protection that we can offer. In some rare cases, some applications may not function when this level of firewalling is enabled - if you encounter any difficulties with specific applications, try the default firewalling configuration as an initial troubleshooting step.

Note: Inbound is from the customer, Outbound is to the customer.

        Inbound:                                                                                
                permit tcp any host mail.sonic.net eq 25                                          
                deny tcp any any eq 25                                                          
                deny tcp any eq 25 any                                                          
                permit tcp any any                                                              
                permit udp any any                                                              
                permit icmp any host 64.142.100.44  (latency-tester)                                            
                deny ip any any                                                                 
                                                                                                
        Outbound:                                                                               
                deny tcp any any range 135 139                                                  
                deny tcp any any eq 445                                                         
                deny tcp any any eq 593                                                         
                permit tcp any any established                                                  
                deny udp any any range 135 139                                                  
                deny udp any any eq 445                                                         
                permit udp any any                                                              
                permit icmp host 64.142.100.44 any (latency-tester)                                             
                deny ip any any

Option Two (Default, recommended by Sonic.net): Common Exploitable Port Firewalling

This is the default firewall rule set applied to DSL circuits. It blocks traffic on port 25 (SMTP email) both to and from a customers circuit to any mail servers other than Sonic.net maintained servers as well as preventing communication on ports used by common Microsoft services that are frequently exploited. This rule set should not interfere with any games or applications other than those that specifically rely on the blocked Microsoft NetBIOS (File and Printer Sharing) services.

Note: Inbound is from the customer, Outbound is to the customer.

	Inbound:
		permit tcp any host mail.sonic.net eq 25
		deny tcp any any eq 25
		deny tcp any eq 25 any
		permit ip any any
	Outbound:
		deny tcp any any range 135 139
		deny tcp any any eq 445
		deny tcp any any eq 593
		deny udp any any range 135 139
		deny udp any any eq 445
		permit ip any any

Option Three: Port 25 Firewalling

This firewall rule set only restricts traffic on port 25 (SMTP email) to and from a customers circuit to any mail servers other than sonic.net maintained servers. This is the minimum recommended rule set. This rule set generally prevents your computer from being hijacked and used to send SPAM directly to other mail servers.

DSL customers who wish to be able to submit directly to other SMTP servers should use an alternate port such as 587 (the submit port) to submit mail, or may instead use Sonic.net's own outbound servers at mail.sonic.net (which will process outbound mail for all domains, hosted here or elsewhere).

Note: Inbound is from the customer, Outbound is to the customer.

	Inbound:
		permit tcp any host mail.sonic.net eq 25
		deny tcp any any eq 25
		deny tcp any eq 25 any
		permit ip any any
	Outbound:
		permit ip any any

Option Four: No Firewalling

This option, as the name suggests, provides customers with no explicit firewalling on their DSL circuit. This option is available to static IP DSL customers. It is strongly recommended that only customers who are running their own secured mail servers on their DSL circuits elect to disable all firewalling protection.

Users running with no firewalling will be held accountable for network abuse that originates from their DSL circuit in accordance with the Sonic.net acceptable use policy. This level is only recommended for advanced customers who have a complete understanding of system and network security, including the prevention of mail relay abuse.

Please Note: With some SOHO routers, it may be necessary to reboot after making significant changes to the behavior of your connection. No filtering is actually applied, in effect:

	Inbound:
		permit ip any any
	Outbound:
		permit ip any any