[21155] in Athena Bugs
Re: Incoming / Outgoing Ports list for Solaris Athena
daemon@ATHENA.MIT.EDU (Garry Zacheiss)
Tue Dec 3 15:39:34 2002
Message-Id: <200212032039.PAA25758@brad-majors.mit.edu>
To: Tom Cavin <cavin@MIT.EDU>
cc: Athena Bugs list <bugs@MIT.EDU>
In-Reply-To: Your message of "Tue, 03 Dec 2002 12:50:34 EST."
<15852.61162.321033.931711@lap1-wccf.mit.edu>
Date: Tue, 03 Dec 2002 15:39:32 -0500
From: Garry Zacheiss <zacheiss@MIT.EDU>
Hi Tom,
The short answer is that we prefer Athena machines not be behind
a firewall at all, and if it's possible to not filter any incoming
traffic for the machine, that's best. I'm not aware of there being any
security holes in the current Athena release that were actually
exploited since I started working here; we have been vulnerable to
things, but usually fix them within a couple of days of the
announcement, before exploits appear in the wild. It's also been our
experience that supporting Athena machines in a firewalled environment
tends to generate a lot of unnecessary support laod for no perecivable
security benefit.
>> Does there exist a ports list that would tell them what type of incoming
>> and outgoing traffic is normal on which ports for an Athena box? Or
>> would such a list be easy to make? And how could I get or make it?
There is no official list, but the things that come to mind are:
UDP ports 88, 750 for Kerberos (kinit, etc)
UDP port 464 (krb5 password changing protocol)
UDP port 751 (krb4 password changing protocol)
(we changed from using the krb4 password changing protocol to the krb5
one midway through 9.1, so opening both is clever)
UDP ports 7000 - 7009 (AFS fileserver, cache manager, vldb, prdb, etc)
If the machine is remotely accessible via mkserv remote, all of these
will be running. You can decide which ones you want.
TCP 21 ftp
TCP 22 ssh
TCP 23 telnet
TCP 543 kerberized rlogin
TCP 544 kerberized rsh
TCP 2105 encrypted kerberized rlogin
TCP 49155 athinfo (remote workstation information service)
TCP 1109 kerberized pop
TCP 142, 143, 992 various flavors of IMAP
These are the ones that come immediately to mind; there are almost
certainly others. You can discover others with lsof and netstat if you
feel so inclined.
If the machine has to be behind a firewall, I'd strongly urge you to
not filter outgoing traffic at all, only incoming traffic, at which
point many entries on the above list become unnecessary.
Garry
