RE: Outbound ports to firewall?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Better yet do what I do and point every system to a dead-end and only allow
restricted proxy access to the web.

Jason

> -----Original Message-----
> From: Jason Dixon [mailto:jason@xxxxxxxxxxxxxx] 
> Sent: Friday, September 24, 2004 9:40 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Outbound ports to firewall?
> 
> 
> On Sep 24, 2004, at 9:29 AM, Parker Morse wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Like most people, I've put some effort into filtering 
> incoming email 
> > and firewalling my network to prevent nasties from getting in. But 
> > recent discussion of preventing the spread of Windows 
> worms, viruses, 
> > etc. etc. has led me to a question I don't have an answer for.
> >
> > Let's assume, for a thought experiment, that one of the 
> Windows boxen 
> > inside my gateway firewall is infected with *something*, who knows 
> > what. To protect the rest of the 'net from this little bundle of 
> > pestilence in the time before I track it down and choke it 
> to death, I 
> > should probably have some firewall rules to keep the bulk of the 
> > nastiness from leaving my network. Outbound rules.
> >
> > What ports should I consider closing up to keep 
> hypothetical infected 
> > inside my network from phoning home and/or spreading the infection?
> 
> You don't.  You block all by default, and only allow approved 
> outbound 
> traffic (via proxy or directly).  Otherwise, you're constantly 
> attempting to play catch-up with mutating (and new) undesired 
> services. 
>   Here is an example list of approved outbound traffic from 
> my (OpenBSD 
> PF) ruleset:
> 
> tcp_out_services="{ whois, ftp, http, https, ssh, pop3, pop3s, imap, 
> imaps, smtp
> , bootps, 465, 1723, 1863, 3128, 5190, 6667, 55500 }"
> # 465 = SMTP/SSL
> # 1723 = PPTP
> # 1863 = MSN Messenger
> # 3128 = Squid
> # 5190 = AIM
> # 6667 = IRC
> # 55500 = PokiPoker
> udp_out_services="{ domain, bootps, ntp }"
> 
> HTH.
> 
> --
> Jason Dixon, RHCE
> DixonGroup Consulting
> http://www.dixongroup.net
> 
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux