Outbound ports to firewall?
Jason Dixon
jason at dixongroup.net
Fri Sep 24 13:40:26 UTC 2004
On Sep 24, 2004, at 9:29 AM, Parker Morse wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Like most people, I've put some effort into filtering incoming email
> and firewalling my network to prevent nasties from getting in. But
> recent discussion of preventing the spread of Windows worms, viruses,
> etc. etc. has led me to a question I don't have an answer for.
>
> Let's assume, for a thought experiment, that one of the Windows boxen
> inside my gateway firewall is infected with *something*, who knows
> what. To protect the rest of the 'net from this little bundle of
> pestilence in the time before I track it down and choke it to death, I
> should probably have some firewall rules to keep the bulk of the
> nastiness from leaving my network. Outbound rules.
>
> What ports should I consider closing up to keep hypothetical infected
> inside my network from phoning home and/or spreading the infection?
You don't. You block all by default, and only allow approved outbound
traffic (via proxy or directly). Otherwise, you're constantly
attempting to play catch-up with mutating (and new) undesired services.
Here is an example list of approved outbound traffic from my (OpenBSD
PF) ruleset:
tcp_out_services="{ whois, ftp, http, https, ssh, pop3, pop3s, imap,
imaps, smtp
, bootps, 465, 1723, 1863, 3128, 5190, 6667, 55500 }"
# 465 = SMTP/SSL
# 1723 = PPTP
# 1863 = MSN Messenger
# 3128 = Squid
# 5190 = AIM
# 6667 = IRC
# 55500 = PokiPoker
udp_out_services="{ domain, bootps, ntp }"
HTH.
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
More information about the redhat-list
mailing list