Its called *Port*sentry for a reason :-]
With Portsentry you can either (un)block ports, or (un)block ranges; you should add all DNSes, connecting mailservers etc to the ignore file anyway, and make sure which mode Portsentry runs to determine if you should add publicly accessable ports to the ignore section of the config or chalk up the ranges. Portsentry seems to accept netmasks, so IIRC, you could get away with specifying like 192.180.0.0/255.255.0.0 type ranges.
*IMO Portsentry should be replaced with Snort.
Snort isnt the same in that it doesnt have blocking capabilities, but is more advanced because it *scans* incoming packets (on all ports) for malicious contents. By comparing it with "signatures" it is able to detect abuse of services by exploits/dos/trojan/whatever else. It also comes with complementary apps that can do the blocking.
Also I would like to make a note on Single Points Of Failure. Any of these apps, including the firewall can be considered that way, because they don't check theirselves for having running state or validity of rules they put out, only if their own config is right at startup. In case of (inadverted|malicious) breakage this would leave the services on your box unprotected and open for public (mis)usage. Run services on separate boxen (eggs in one basket), don't run services(+versions) with known vulnerabilities, make sure your webapps are well-coded and maintained, chroot/jail if necessary.
HTH somehow
|