Re: Is it recommended to allow all outgoing connections from your firewall??
On 11 May 2006, at 1:56 AM, [EMAIL PROTECTED] wrote: --On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez <[EMAIL PROTECTED]> wrote: Because if the machine has been compromised, it doesn't *matter* what the outgoing ruleset is. Or what anything else is, for that matter. What if you're not in, but you can initiate an outgoing connection? From a buggy PHP script on a web server for example? If I hack your box, one of the first things I'm going to do is install a rootkit. Then I'm going to wipe the logs of any evidence of my entry (but leave them intact otherwise), clean my tracks from the shell history file and remove any other evidence of my presence. "Bypassing" your firewall rules is the least of my worries. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is it recommended to allow all outgoing connections from your firewall??
Mark Jayson Alvarez wrote: I've seen most people allow all outgoing traffic originating from the firewall itself... Is this really recommended?? No. It's highly desirable to perform egress filtering if possible, but many people lack the time or the detailed knowledge to determine what outbound ports that they really need to use. Simply blocking port 6667 can provide a lot of protection against botnets because ICC is so commonly used as the control channel. [ RFC-2196 recommends doing outbound packet-filtering. ] -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is it recommended to allow all outgoing connections from your firewall??
> I've seen most people allow all outgoing traffic > originating from the firewall itself... Is this really > recommended?? What if the machine have been A server being a server (and a firewall is nothing but a specific server) there is no reason one would run a client application from that machine. So I deny every outgoing connection from a server (only exceptions are the protocols used by the server to upgrade itself, http/ftp is allowd only through a proxy). This makes very little constraint and I make the server much safer knowing that one will not be able to read his mail or browse the web from that server. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is it recommended to allow all outgoing connections from your firewall??
--On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez <[EMAIL PROTECTED]> wrote: I've seen most people allow all outgoing traffic originating from the firewall itself... Is this really recommended?? What if the machine have been compromised and the intruder have installed a program that let's him access the machine remotely by having the program itself to initiate the outgoing connection to him thus defying the incoming connection firewall ruleset... Because if the machine has been compromised, it doesn't *matter* what the outgoing ruleset is. Or what anything else is, for that matter. If I hack your box, one of the first things I'm going to do is install a rootkit. Then I'm going to wipe the logs of any evidence of my entry (but leave them intact otherwise), clean my tracks from the shell history file and remove any other evidence of my presence. "Bypassing" your firewall rules is the least of my worries. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: Is it recommended to allow all outgoing connections from your firewall??
On Wed, May 10, 2006 at 06:22:11PM -0700, Mark Jayson Alvarez wrote: > Hi, > > I've seen most people allow all outgoing traffic > originating from the firewall itself... Is this really > recommended?? What if the machine have been > compromised and the intruder have installed a program > that let's him access the machine remotely by having > the program itself to initiate the outgoing connection > to him thus defying the incoming connection firewall > ruleset... If that's of concern to you (and it is, I reckon, a valid concern), then you should certainly look into blocking outgoing connections from your firewall. It depends on what you consider to be acceptable risk. Dan -- Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgp2s0EvGaVjE.pgp Description: PGP signature