public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Do you block outbound ports?
Date: Sat, 20 Aug 2011 21:02:24 +0200	[thread overview]
Message-ID: <21545806.n9l1RQMaLZ@nazgul> (raw)
In-Reply-To: <CAN0CFw2hfsq=Eo+Hwrn0nrs1yLu7_aKMWRhC9DdUc1_WwEszUw@mail.gmail.com>

On Sat 20 August 2011 10:38:43 Grant did opine thusly:
> I like the policy of blocking all ports in and out with a firewall
> and only opening the ones you need.  Bittorrent makes that
> difficult since it connects out to unpredictable ports.  Do you
> block outbound ports with a firewall or only inbound?

For the most part only inbound. Blocking outbound is pretty much 
pointless as a security measure.

You cannot control what people will want to connect to outbound. Every 
time you think you have a complete list, someone will come along and 
provide you with heaps of reasons as to why their request is legit 
(and it usually is!)

What you can control completely is the services you offer and on what 
ports, therefore inbound firewalls make sense.

That's not to say we don't use outbound firewalls at all, we do - as a 
policy measure. Outbound port 25 is blocked so that people will use my 
relays instead. I trust them to play nice, they trust me to keep the 
service up. For us, this works well. But as a security measure the 
entire model falls apart as soon as someone with a clue comes along. I 
have this game I play with our firewall/security people where I get to 
look smug. Tool of choice? ssh

The security benefits from outbound connections to my mind are:
warm-and-fuzzy security
cover-your-ass security
just-do-whatever-the-damn-auditor-says-so-he-can-stfu security
i-don't-know-what-i'm-doing security

but almost never real security. That's better done with permanent ACLs 
on the routers.

-- 
alan dot mckinnon at gmail dot com



  reply	other threads:[~2011-08-20 19:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-20 17:38 [gentoo-user] Do you block outbound ports? Grant
2011-08-20 19:02 ` Alan McKinnon [this message]
2011-08-21  4:31   ` Pandu Poluan
2011-08-20 19:11 ` [gentoo-user] " Nikos Chantziaras
2011-08-20 22:41 ` [gentoo-user] " Paul Hartman
2011-08-21 12:10 ` [gentoo-user] " James

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=21545806.n9l1RQMaLZ@nazgul \
    --to=alan.mckinnon@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox