> > A point of interest for list members. Most sample scripts and some > production configurations do little if any filtering of traffic from the > LAN out to the Net. The theory being that the LAN is trusted. IMHO this > is a mistake. Malware can get in from e-mail, laptops, wireless > connections, floppies, etc. and there's no way we can stop all of it. > IDS is great but pretty pricey for SOHO use. I recently found a worm on > a client that had gotten in despite our best efforts. The only way I > knew it was there was by iptables logging (and rejecting) outgoing > traffic on unauthorized ports. I'll never know if the worm was able to > find an open port to reach the net, but internally it was contained to > one box and no harm was done. Just my 2 cents. > > Jeff > I filter outbound stuff in the OUTPUT table (packets from my firewall host to the net) and the FORWARD table. What you should be filtering is packet egress, that is your 192.168 or whatever internal LAN leaking 'naked' (un-NATted) to the internet at large. I do this in two places, on the main firewall box between out "inside" and "outside" in iptables and then again at the Cisco router facing PSInet with an ACL that drop & log any packets from anything other than our PSInet Class-C, so there's no way we can "leak" on to the 'net. Doesn't everyone do this? Mike
