Topic: reconfigure firewall

[Tim Litwiller]

One of our clients needs to communicate with walmart, here is the instructions.  I don't know if this can be done with an e-smith or not, any help would be appreciated


If you are using a firewall the following rules will need to be created:

1. For communication to Wal-Mart open 161.165.202.30 to port 5080
2. For commincations from Walmart open 161.165.202.24, 161.165.202.25, 161.165.202.26 and 161.165.202.27 for any port greater that 1023

[Luis A. Navas]

Try to use openport rpm, if you don't know how to download try to find on contribs.org or sendme an e-mail and I reply back with the openport and denyport rpm

[Luis A. Navas]

Ok. here is the  path to download the portopening rpm

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/portopening/

here you can selecto the adecuate rpm for your SME box

[Tim Litwiller]

well those instructions from Walmart don't make sense to me.  But that is what they have.  I don't see how to do what they ask.

[Graeme Fleming]

Looks like they are giving you info for something like a Checkpoint FW1 rulebase tho if you were running one of these beasties you would still want some sorta authentication methodology applied as well.

FW1 is a midrange to high product so if a company has spent the dosh on one then it would be reasonably anal about security.

[Michiel]

> FW1 is a midrange to high product so if a company has spent
> the dosh on one then it would be reasonably anal about
> security.

If that's the case, why do they want their suppliers to just open every port greater than 1023? Seems a security risk to me and if their suppiers get compromised, Walmart can be attacked from there. As you said, some other kind of authentication would be smart.

[Tim Litwiller]

I think thier instructions are messed up - in the first 2 instructions if you swap that to and from it would make a lot more sense, to me at least .

Lower on the page they askfor your ip address http://1.2.3.4:5880  so it looks like that is how they are coming into the customers site.

I think I wil port forward 5880 to the end users desktop when they get back from the long weekend and then see if the problem is fixed.

[Tim Litwiller]

just got back to this today:

actually call walmart and talked to thier tech.

they want me to allow all ports above 1024 in from thier 4 ip addresses.

so the client software connects out on 5880 to make a request and then then 1 of 4 servers will make a connection back to the firewall on an unspecified port above 1024 and needs to get forwarded to the client machine.

so with the current rules that block incoming access I need to add a rule that:

 if the request comes from one of these 4 ip address and the port is above 1024 if forwards the request to the windows workstation.

[Guck Puppy]

Sweet monkeys, I know it's been said already but that's whack.

They don't use a VPN for this stuff? are the connections they're going to be making secured ones even?

Maybe you could ask their techs to let you talk to some of their other customers that are using this dodgy method to find out what THEY are doing to mitigate the security risk?

G

[Tim Litwiller]

I think all thier users are small businesses.  I asked the tech if he wasn't worried about security and he said that most of thier businesses didn't have any kind of firewall so they are of the opinion that firewalls are bad because it takes longer to close a trouble ticket and that us how they get raises - how many trouble tickets closed per month.  So no he wasn't concerned about security to him it is a detriment.

I'm almost tempted to boycot Walmart...  HA! like my wife would let us do that!