On Fri, Jan 14, 2005 at 03:14:04PM -0500, Jason Opperisano wrote: > On Fri, Jan 14, 2005 at 12:02:28PM -0800, seberino@xxxxxxxxxxxxxxx wrote: > > I'm wondering if it is ever necessary to block > > *outgoing* packets at your firewall. Yes, but others have answered this in a far more timely fashion than myself. > i run a default DROP policy on the OUTPUT chain of my firewalls and > only allow out necessary traffic (DNS, HTTP/FTP to update servers, > NTP, etc). but i'm pretty odd when it comes to these things--i don't > know how necessary it is. the one nice side-effect is that is keeps > me from doing something stupid when i'm ssh-ed into a firewall. Out of interest why "DROP" rather than "REJECT"? With reject users, hosts or programs on the inside tend to fail straight away rather than taking a while to time out annoyingly. -- Where are we going and what's with the hand basket?
