That's why Windozes gets a lot of stick, cause it's not as secure and doesn't conform 100% to TCP/IP RFC's
If the desktop is behind the router/firewall, then unless your paranoid you don't normally secure it. "that's the firewalls job"
Or you have a DMZ where you start having a Trihomed firewall design to increase security.
Anyway,
You just have to think in port numbers.
So you want to only allow your firewall to connect to some services and Reject the others.
Allow outgoing tcp 21 "ftp"
Allow outgoing tcp 20 "ftp passive"
Allow outgoing tcp 80 "http"
Allow outgoing tcp 443 "https"
Allow outgoing tcp 53 "DNS"
Allow outgoing udp 53 "DNSr"
Allow incomming tcp source port 80 destination above 1023
Allow incomming tcp source port 21 destination above 1023
Allow incomming tcp source port 20 destination above 1023
Allow incomming tcp source port 443 destination above 1023
Allow incomming tcp static source port 53 destination above 1023
Allow incomming udp static source port 53 destination above 1023
Reject all other connections
If you read my script from my previous post this is what is does, there is no quick fix or short cut when it comes to security, otherwise why both with a firewall, just turn off the services you don't use instead.
It also answers your question "What would a solid rule set look like for a computer like that? "
I suggest you understand the fundamentals of TCP/IP by reading some books like "Internet core protocols" then it's a lot easier to create your own firewall as it's unique to your requirements. I could show you what yours should look like but I don't know your ISP, your DNS, your mail provider and your security requirements and you won't learn how to do it.
/Raz
|