> >> But... what do you want to do by filtering OUTPUT ? Sure, you can drop > > INVALID > >> packets, filter floods, stop packets coming from root and so on, but if > > you > >> want to allow normal internet activity from the box, you have to allow NEW > >> connections on OUTPUT to any host/port... > > > There's always a (good) chance that someone will comprimise the machine and > > use it to DDOS, scan, spam etc - filtering output to allow only what you > > need for normal usage (dns, web, ping etc) makes it less useful as a hacked > > box. > > If you allow users to mail, you allow them to spm. If you allow users to send > requests on tcp 80, you allow them to participe in a DDOS, and so on. > There is no real way to sort out "clean" and "bad" actions at the firewall > level... The only thing you can do is using the 'limit' macth to prevent > some kinds of DoS. And allowing only some ports can be very limitating > for users, since some web servers listenon other ports, they may want to use > cvs pserver (and you didn't think to allow 3128) and so on... Would I be right in thinking that the OUTPUT chain only filters traffic originating from the firewall box itself, and that any traffic coming from your clients would fall into the FORWARD chain? If that is the case, then filtering OUTPUT would have no effect on your users' ability to surf, mail etc, but only on the firewall box's ability to generate traffic. Gavin > Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr > GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959 > Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA > > Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org > >
