# Ports required for System Insight Manager / IRS
block return-rst in log quick proto tcp from 1.2.3.4/32 to any head 10
pass in quick proto tcp from 1.2.3.4/32 to any port = wbem-http flags S keep state keep frags group 10
pass in quick proto tcp from 1.2.3.4/32 to any port = wbem-https flags S keep state keep frags group 10
pass in quick proto tcp from 1.2.3.4/32 to any port = 2381 flags S keep state keep frags group 10
pass in quick proto tcp from 1.2.3.4/32 to any port = 2301 flags S keep state keep frags group 10
pass in quick proto tcp from 1.2.3.4/32 to any port = 22 flags S keep state keep frags group 10
block return-icmp(port-unr) in log quick proto udp from 1.2.3.4/32 to any
Replace 1.2.3.4 with the IP address of your CMS.
The rules are set up as a group, to optimize filter processing: any TCP packet that comes in from the CMS goes in group 10, where the filter tries to match it with group 10's rules.
If the TCP packet originating from the CMS is trying to reach the WBEM Services, The System Management Homepage or the SSH port, it goes through. In all other cases, we're a good IP citizen here, as anything that does not match these rules will be sent back a TCP reset (return-rst) instead of seeing its packet dropped. This accelerates the scanning from SIM, and also fixes a problem with WEBES that can hang for a while when it has to deal with dropped packets. We also return an ICMP port unregistered for each UDP packet, since no service at all listens on UDP (not even SNMP).
No comments:
Post a Comment