# blocking udp ports to internal network

## darkphader

Working with a internal network connected to a Cisco router (doing NAT - private class C address range), a Gentoo server handling dhcpd, dns server (for internal address) and dns cache, mail (postfix for outgoing, fetchmail for some select mail users, and cyrus-imap), ntpd, Windows file & print sharing (CUPS, Samba).

Clients are general business users on Windows boxes. I'm wondering about the ramifications of blocking UDP packets (at the router, thinking outgoing should be sufficient) for all but the server system.

What are the things that UDP is really used for? Are there some outgoing UDP ports that I should leave open? Any reason to block the incoming UDP packets as well?

Thanks for any guidance.

Chris

----------

## freebies_11

 *darkphader wrote:*   

> Working with a internal network connected to a Cisco router (doing NAT - private class C address range), a Gentoo server handling dhcpd, dns server (for internal address) and dns cache, mail (postfix for outgoing, fetchmail for some select mail users, and cyrus-imap), ntpd, Windows file & print sharing (CUPS, Samba).
> 
> Clients are general business users on Windows boxes. I'm wondering about the ramifications of blocking UDP packets (at the router, thinking outgoing should be sufficient) for all but the server system.
> 
> What are the things that UDP is really used for? Are there some outgoing UDP ports that I should leave open? Any reason to block the incoming UDP packets as well?
> ...

 

Some applications use UDP. I wouldn't block it. It's not a security risk.

----------

## LoDown

Also, DNS and ntp rely on udp.  So your boxes would not be able to resolve public domain names (google.com, etc).  I tend to agree with Heelios (though I am not an expert).  From what I've read/heard udp is not what you need to be worrying about.  TCP is where you need to lock things down.

----------

## darkphader

I've seen warnings to block at least some UDP ports due to virus and worm threats.

As for DNS, the server handles that and I wasn't going to block it (all of the internal systems contact the DNS cache on the internal server for name resolution). The setup is an "unmanaged" T1 (means that the ISP doesn't provide or configure the router, nor do they provide, mail services, etc. - we could probably forward some DNS queries but we don't).

Also most of the NTP updates are to the internal server as well, although I was going to open that port up for all of the Windows boxen that come pre-configured to contact a MS time server (not all of the systems are under domain control).

I'm thinking that by blocking UDP for all but the server I would eliminate a lot of junk bandwidth (streaming audio/video) usage so that those who are really working 

Hmmm...found this on the net:

 *Quote:*   

> OCIPEP recommends configuring firewalls to block outgoing connection attempts to UDP port 8998, UDP 123 [NTP] and UDP ports 995, 996, 997, 998 and 999. OCIPEP also recommends that organizations block all incoming and outgoing UDP ports unless it is essential for operational purposes. If organizations cannot block UDP ports, it is critical that all UDP traffic be carefully monitored for SoBig traffic. 

 

Makes me think I should require all internal users to time sync from the internal server.

Chris

----------

## jamapii

I block exactly those UDP ports on which I have servers listening.

----------

## LoDown

But he's worried about windows boxes, they could have 'servers' (worms/viruses/trojans/etc) listening on who knows what ports!  :Very Happy: 

----------

## darkphader

 *LoDown wrote:*   

> But he's worried about windows boxes, they could have 'servers' (worms/viruses/trojans/etc) listening on who knows what ports! :-D

 

I think they may have to be actively doing something and not just listening as wouldn't the NAT naturally stop incoming connections unless requested from inside?

I did, for a short experiment, block all of the outgoing udp ports except for ntp, and dns to the server.

I'm logging the rejects from the Cisco to syslog-ng on the server and notice one system is always trying to connect to the router on UDP port 1900. Don't know what it's trying to do but it does raise some curiosity.

Chris

----------

## think4urs11

1900/udp is Microsofts UPnP - nothing to worry about, can savely be dropped

see http://www.microsoft.com/technet/itsolutions/network/plan/insidenet/sohonet/upnpsup.mspx

----------

