On Sep 24, 2004, at 9:29 AM, Parker Morse wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Like most people, I've put some effort into filtering incoming email and firewalling my network to prevent nasties from getting in. But recent discussion of preventing the spread of Windows worms, viruses, etc. etc. has led me to a question I don't have an answer for.
Let's assume, for a thought experiment, that one of the Windows boxen inside my gateway firewall is infected with *something*, who knows what. To protect the rest of the 'net from this little bundle of pestilence in the time before I track it down and choke it to death, I should probably have some firewall rules to keep the bulk of the nastiness from leaving my network. Outbound rules.
What ports should I consider closing up to keep hypothetical infected inside my network from phoning home and/or spreading the infection?
You don't. You block all by default, and only allow approved outbound traffic (via proxy or directly). Otherwise, you're constantly attempting to play catch-up with mutating (and new) undesired services. Here is an example list of approved outbound traffic from my (OpenBSD PF) ruleset:
tcp_out_services="{ whois, ftp, http, https, ssh, pop3, pop3s, imap, imaps, smtp
, bootps, 465, 1723, 1863, 3128, 5190, 6667, 55500 }"
# 465 = SMTP/SSL
# 1723 = PPTP
# 1863 = MSN Messenger
# 3128 = Squid
# 5190 = AIM
# 6667 = IRC
# 55500 = PokiPoker
udp_out_services="{ domain, bootps, ntp }"
HTH.
-- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list