Carlos Moreno wrote:

> Hi there,
>
> I have a home LAN protected by a Linux box that acts as a
> Gateway/router/firewall (currently setup with iptables,
> "stealth" mode).
>
> I currently use Linux and Windows 2000 on my internal
> machines, but I may be "forced" to switch to Windows XP
> (professional, I guess) in the near future (you know,
> the usual story )8-[ )
>
> Anyway, I'm always be terrified of using Windows XP,
> which I regard as the worst threat to the privacy and
> security of my machines, my privacy, information, etc.
>
> I was wondering if you guys have experience with this
> setup (I'm talking about a Linux-based gateway/firewall
> to protect a network that has computers with WinXP among
> others). Any specific ports that I need to block to
> prevent Windows XP from doing its funny thing??
>
> I'm even terrified to simply put a strong firewall for
> the incoming stuff -- it terrifies me that Windows XP
> might willingly share my information without my knowing
> it. I wonder if there is a list of ports that I should
> block on both directions? (something that would not
> affect regular usage of the web, e-mail, ftp downloads,
> SSH, etc.). I might even be willing to unconditionally
> block traffic to or from www.microsoft.com, www.hotmail.com,
> MSN, etc. (if that does makes any sense -- you know, being
> paranoid as I am, and so profoundly uninterested in stuff
> from Microsoft, I think it could make sense).
>
> (yes, I know, I know I seem to be sending mixed signals...
> So uninterested in Microsoft stuff, but currently using
> Win2K and thinking of switching to WinXP... *sigh*, this
> world is so depressing, I know :-))
>
> Thanks for any advice or pointers!
>
> Carlos
> --

Be sure you block any NETBIOS service sessions, and its newer ports.
Also block the various printer server shares (i.e. HP Print Services).

I know of many trivial, but nasty, compromize attacks against these
ports.

Steve Hathaway