Outbound ports to firewall?
Jason Staudenmayer
jasons at NJAQUARIUM.ORG
Fri Sep 24 13:57:44 UTC 2004
Better yet do what I do and point every system to a dead-end and only allow
restricted proxy access to the web.
Jason
> -----Original Message-----
> From: Jason Dixon [mailto:jason at dixongroup.net]
> Sent: Friday, September 24, 2004 9:40 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Outbound ports to firewall?
>
>
> On Sep 24, 2004, at 9:29 AM, Parker Morse wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Like most people, I've put some effort into filtering
> incoming email
> > and firewalling my network to prevent nasties from getting in. But
> > recent discussion of preventing the spread of Windows
> worms, viruses,
> > etc. etc. has led me to a question I don't have an answer for.
> >
> > Let's assume, for a thought experiment, that one of the
> Windows boxen
> > inside my gateway firewall is infected with *something*, who knows
> > what. To protect the rest of the 'net from this little bundle of
> > pestilence in the time before I track it down and choke it
> to death, I
> > should probably have some firewall rules to keep the bulk of the
> > nastiness from leaving my network. Outbound rules.
> >
> > What ports should I consider closing up to keep
> hypothetical infected
> > inside my network from phoning home and/or spreading the infection?
>
> You don't. You block all by default, and only allow approved
> outbound
> traffic (via proxy or directly). Otherwise, you're constantly
> attempting to play catch-up with mutating (and new) undesired
> services.
> Here is an example list of approved outbound traffic from
> my (OpenBSD
> PF) ruleset:
>
> tcp_out_services="{ whois, ftp, http, https, ssh, pop3, pop3s, imap,
> imaps, smtp
> , bootps, 465, 1723, 1863, 3128, 5190, 6667, 55500 }"
> # 465 = SMTP/SSL
> # 1723 = PPTP
> # 1863 = MSN Messenger
> # 3128 = Squid
> # 5190 = AIM
> # 6667 = IRC
> # 55500 = PokiPoker
> udp_out_services="{ domain, bootps, ntp }"
>
> HTH.
>
> --
> Jason Dixon, RHCE
> DixonGroup Consulting
> http://www.dixongroup.net
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list