Outbound ports to firewall?
Lloyd H. Meinholz
lloyd.meinholz at bmpcoe.org
Fri Sep 24 14:05:52 UTC 2004
On a similar note, does it make any sense for me to limit outgoing ports
on my workstations firewall? We have some limits on out network firewall
and I have no control over that. I'm having some issues getting my
iptables rules working correctly on my workstation, especially samba (so
I can print to our windows print server) and am debating what I am
actually accomplishing by filtering outgoing traffic from my
workstation.
Right now, I'm of the opinion that filtering outgoing ports from my
workstation really only accomplishes reassuring myself that nothing that
I don't know of is getting out of my box and that I'm learning
iptables... :) If I were selling it I could say that I am trying to
limit and contain any potential security breach to my workstation. Is
there something else I'm missing?
Lloyd
On Fri, 2004-09-24 at 09:40, Jason Dixon wrote:
> On Sep 24, 2004, at 9:29 AM, Parker Morse wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Like most people, I've put some effort into filtering incoming email
> > and firewalling my network to prevent nasties from getting in. But
> > recent discussion of preventing the spread of Windows worms, viruses,
> > etc. etc. has led me to a question I don't have an answer for.
> >
> > Let's assume, for a thought experiment, that one of the Windows boxen
> > inside my gateway firewall is infected with *something*, who knows
> > what. To protect the rest of the 'net from this little bundle of
> > pestilence in the time before I track it down and choke it to death, I
> > should probably have some firewall rules to keep the bulk of the
> > nastiness from leaving my network. Outbound rules.
> >
> > What ports should I consider closing up to keep hypothetical infected
> > inside my network from phoning home and/or spreading the infection?
>
> You don't. You block all by default, and only allow approved outbound
> traffic (via proxy or directly). Otherwise, you're constantly
> attempting to play catch-up with mutating (and new) undesired services.
> Here is an example list of approved outbound traffic from my (OpenBSD
> PF) ruleset:
>
> tcp_out_services="{ whois, ftp, http, https, ssh, pop3, pop3s, imap,
> imaps, smtp
> , bootps, 465, 1723, 1863, 3128, 5190, 6667, 55500 }"
> # 465 = SMTP/SSL
> # 1723 = PPTP
> # 1863 = MSN Messenger
> # 3128 = Squid
> # 5190 = AIM
> # 6667 = IRC
> # 55500 = PokiPoker
> udp_out_services="{ domain, bootps, ntp }"
>
> HTH.
>
> --
> Jason Dixon, RHCE
> DixonGroup Consulting
> http://www.dixongroup.net
>
>
More information about the redhat-list
mailing list