OZONE - Protect your servers with our new VLAN ACL filter rule sets. With one of the following Access Control List templates applied to your VLAN at the router level, your server(s) can be protected from exploits on unused TCP and UDP ports. Protect your servers by choosing between a Windows server environment, Unix server environment, a OS neutral server environment or a Game server environment template that was designed by The Planet's security experts. If you are unsure then you can just apply a Generic Deny Environment that only blocks well known vulnerable ports.

Here is a list of them templates to choose from:
[list]
Windows Server Environment
-----------------------------------------
Allow 21 TCP – FTP (passive only)
Allow 25 TCP – SMTP
Allow 53 TCP/UDP – DNS
Allow 80 TCP – HTTP
Allow 110 TCP – POP3
Allow 113 TCP – IDENT
Allow 143 TCP – IMAP
Allow 443 TCP – HTTPS (SSL)
Allow 808 TCP – DiskSync
Allow 1433 TCP – Microsoft SQL
Allow 3306 TCP – MySQL
Allow 3389 TCP – Terminal Services
Allow range 5900-5901 - VNC
Allow 8086 TCP – Helm (control panel)
Allow 8181 TCP – Imail (admin)
Allow 8383 TCP – Imail (webmail)
Allow 8385 TCP – Imail (calendar)
Allow 8484 TCP – Imail (calendar)
Allow range 8442-8443 TCP – Plesk (control panel)
Allow 8080 TCP – generic control panel
Allow 8888 TCP – general control panel
Allow 9999 TCP – Urchin Stats
Allow 1723 TCP – PPTP
Allow 47 GRE – PPTP
DENY all other ports

Unix Server Environment
----------------------------------
Allow 21 TCP – FTP (passive only)
Allow 22 TCP - SSH
Allow 25 TCP – SMTP
Allow 53 TCP/UDP – DNS
Allow 80 TCP – HTTP
Allow 110 TCP – POP3
Allow 113 TCP – IDENT
Allow 143 TCP – IMAP
Allow 443 TCP – HTTPS (SSL)
Allow 808 TCP – DiskSync
Allow 1521 TCP – MySQL manager
Allow 1526 TCP – MySQL manager
Allow range 2080-2099 TCP – Cpanel (control panel)
Allow 3306 TCP – MySQL
Allow 4643 TCP – Virtuozzo (control panel)
Allow range 5900-5901 - VNC
Allow 8080 TCP – generic control panel
Allow range 8442-8443 TCP – Plesk (control panel)
Allow 8888 TCP – generic control panel
Allow 9999 TCP – Urchin Stats
Allow 10000 TCP - Webmin (control panel)
Allow 500 UDP – IKE (VPN)
Allow 50 TCP/UDP – IPSEC (VPN)
Allow 51 TCP/UDP – IPSEC (VPN)
DENY all other ports

OS Neutral Server Environment
-------------------------------------------
Allow 21 TCP – FTP (passive only)
Allow 22 TCP - SSH
Allow 25 TCP – SMTP
Allow 53 TCP/UDP – DNS
Allow 80 TCP – HTTP
Allow 110 TCP – POP3
Allow 113 TCP – IDENT
Allow 143 TCP – IMAP
Allow 443 TCP – HTTPS (SSL)
Allow 808 TCP – DiskSync
Allow 1433 TCP – Microsoft SQL
Allow 1521 TCP – MySQL manager
Allow 1526 TCP – MySQL manager
Allow range 2080-2099 TCP – Cpanel (control panel)
Allow 3306 TCP – MySQL
Allow 4643 TCP – Virtuozzo (control panel)
Allow 3389 TCP – Terminal Services
Allow range 5900-5901 - VNC
Allow 8086 TCP – Helm (control panel)
Allow 8181 TCP – Imail (admin)
Allow 8383 TCP – Imail (webmail)
Allow 8385 TCP – Imail (calendar)
Allow 8484 TCP – Imail (calendar)
Allow range 8442-8443 TCP – Plesk (control panel)
Allow 8080 TCP – generic control panel
Allow 8888 TCP – general control panel
Allow 9999 TCP – Urchin Stats
Allow 10000 TCP - Webmin (control panel)
Allow 500 UDP – IKE (VPN)
Allow 50 TCP/UDP – IPSEC (VPN)
Allow 51 TCP/UDP – IPSEC (VPN)
Allow 1723 TCP – PPTP
Allow 47 GRE – PPTP
DENY all other ports

Game Server Environment
------------------------------------
Allow 21 TCP – FTP (passive only)
Allow 22 TCP - SSH
Allow 25 TCP – SMTP
Allow 53 TCP/UDP – DNS
Allow 80 TCP – HTTP
Allow 110 TCP – POP3
Allow 113 TCP – IDENT
Allow 143 TCP – IMAP
Allow 443 TCP – HTTPS (SSL)
Allow 808 TCP – DiskSync
Allow 3389 TCP – Terminal Services
Allow range 5900-5901 - VNC
Allow 8365 TCP – Cortex (game control panel)
Allow 8080 TCP – generic control panel
Allow 8888 TCP – generic control panel
Allow 9999 TCP – Urchin Stats
Allow range 2300-2400 – Halo Engine games
Allow range 4000-8000 TCP/UDP – Unreal Engine games
Allow range 12000-16000 TCP/UDP – Medal of Honor, Battlefield Engine games
Allow range 26000-30000 TCP/UDP – Quake, DOOM, COD, HL Engine games
DENY all other ports

Generic Deny Filter
--------------------------
Deny common vulnerable [hidden from view for security reasons]
ALLOW all of the rest
[list]

Rules:
[list]
-These filters are rule-based packet filters (Access Control Lists) applied to your routed VLAN interface. They are not designed to take the place of a true firewall, and as such do not offer the same type of functionality or performance. There is a chance that some applications will not function properly because of the filter
-Only one template per VLAN
-Single Template applies to all servers within the VLAN
-These templates cannot be customized. If you require special rules then a hardware firewall might be better sited to your needs. Please contact our sales department.
-VLAN Filters can only be added or removed from within your ORBIT interface on 5 minute intervals.
-The Planet Security Engineers will constantly review the current threats on the Internet and add or remove ports from these lists at will.
-There will be a fee involved in moving servers between VLANs
-Logs are not supported
[list]

Errm, what ports are blocked by the "Generic Deny Filter"?

I mean, how can we ask ports to be blocked when we don't know what ports will be blocked?

I have a couple of suggestions for additional ports which should be open.

Port 26 should be open since WHM/CPanel allow you to run SMTP on that port in case your end users ISP blocks port 25.

I've noticed NNTP traffic on the "Network Netflow Statistics" graphs in Orbit. IIRC, Port 119 needs to be open for NNTP.

--- David

would it be posible to integrate a "customisable" rule set into orbit or something (for an extra monthly fee)?

UDP port 6277 would be good for DCC communication as well...

http://www.rhyolite.com/anti-spam/dcc/dcc.html
http://www.rhyolite.com/anti-spam/dcc/FAQ#...#firewall-ports

Are there any ports set aside for PASV FTP connections? If VLAN filters are in place, clients who FTP have to use PORT connections. Normally it wouldn't matter but FTP clients are set to PASV by default.

Ric?