67
A
Pre-Defined Rule Sets
This appendix provides information on EFW pre-defined rule sets.
Pre-defined Rule Set Name
Description
Windows NT 4.0 Standard
Allow minimal services for a typical Microsoft Windows NT 4.0 host to boot, login and access files
on the network.
By default, this rule set does not permit the host to share files on the local disk with other users in a
Microsoft network neighborhood. It also prevents the host from responding to network
neighborhood browse requests from other hosts. To enable these actions, add the following two
rules to the host’s EFW policy:
■
Allow the transmission of TCP packets from port 139 on this host to ports 1024-65535 on any
other host.
■
Allow TCP packets to be received from ports 1024-65535 on any other host to port 139 on
this host.
Windows 2000 Standard
Allow minimal services for a typical Microsoft Windows 2000 host to boot, login, and access files on
the network.
By default, this rule set does not permit the host to share files on the local disk with other users in a
Microsoft network neighborhood. It also prevents the host from responding to network
neighborhood browse requests from other hosts. To enable these actions, add the following two
rules to the host’s EFW policy:
■
Allow the transmission of TCP packets from port 139 on this host to ports 1024-65535 on any
other host.
■
Allow TCP packets to be received from ports 1024-65535 on any other host to port 139 on
this host.
NOTE:
During the login process, the administrator’s personalized settings are loaded, and
permission to exchange several randomly ported UDP packets between the host and its primary
domain controller is required. Therefore, when a domain administrator who is a member of
multiple groups (for example, Enterprise, Schema, Group Policy Creator, etc.) logs into a Windows
2000 host that is protected by an EFW device which is enforcing a policy that includes the Windows
2000 Standard rule set, this rule set may not be sufficient to permit the administrator to log in. To
fix the problem, add the following rules to the host’s EFW policy:
■
Allow the transmission of UDP packets from any port on this host to any port on its primary
domain controller.
■
Allow UDP packets to be received from any port on the primary domain controller to any port
on this host.
Windows 2000 DHCP Server
Allow the host to provide host-configuration services for Microsoft Windows hosts. This rule set
supports the Microsoft implementation of DHCP.
Internet Client
Allow the host to request typical Internet services, including SMTP, FTP, HTTP, HTTPS, and NNTP.
Windows 2000 IPSEC
Allow Internet Protocol Security Protocol (IPSEC) services for Microsoft Windows 2000 hosts.
3Com Embedded Firewall
Management Console
Allow the host to perform actions required by an EFW Management Console.
3Com Embedded Firewall
Policy Server
Allow the host to perform actions required by an EFW Policy Server.
Deny TCP Connection Initiation
Block any outbound TCP packet with the SYN flag set.
DHCP Client
Allow the host to request host configuration using DHCP.
(continued)
