From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QuqqS-0005Po-Ar for garchives@archives.gentoo.org; Sat, 20 Aug 2011 19:04:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BFEC621C0EC; Sat, 20 Aug 2011 19:04:24 +0000 (UTC) Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 011FE21C036 for ; Sat, 20 Aug 2011 19:02:39 +0000 (UTC) Received: by wyg36 with SMTP id 36so3721713wyg.40 for ; Sat, 20 Aug 2011 12:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:user-agent:in-reply-to:references :mime-version:content-transfer-encoding:content-type; bh=p2AaRx7MqXdPruLZRTqxIi5DrT0wvEwzofM5780U250=; b=FAxrUPnQITIAiLc/MULeFYHo0aD0/FSuYiZi4ONhiROYXbBd6/+wo5gkZSWTWXLPMw qTRIjL/4dTWtKxOuyprZxj/dsOB1ObGEKXzki3Nswqq4esGQlmZrSO4FiNP34lm63FZS 2a8sP2k9U8J8Y2XKS2as4S15OdTQdnluId6sg= Received: by 10.227.199.16 with SMTP id eq16mr597023wbb.48.1313866959211; Sat, 20 Aug 2011 12:02:39 -0700 (PDT) Received: from nazgul.localnet (196-210-153-55.dynamic.isadsl.co.za [196.210.153.55]) by mx.google.com with ESMTPS id ez4sm3537074wbb.12.2011.08.20.12.02.37 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 20 Aug 2011 12:02:38 -0700 (PDT) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Do you block outbound ports? Date: Sat, 20 Aug 2011 21:02:24 +0200 Message-ID: <21545806.n9l1RQMaLZ@nazgul> User-Agent: KMail/4.7.0 (Linux/2.6.39-ck-r2; KDE/4.7.0; x86_64; ; ) In-Reply-To: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" X-Archives-Salt: X-Archives-Hash: ebacb31d3f609d3463d5cc4413dc4743 On Sat 20 August 2011 10:38:43 Grant did opine thusly: > I like the policy of blocking all ports in and out with a firewall > and only opening the ones you need. Bittorrent makes that > difficult since it connects out to unpredictable ports. Do you > block outbound ports with a firewall or only inbound? For the most part only inbound. Blocking outbound is pretty much pointless as a security measure. You cannot control what people will want to connect to outbound. Every time you think you have a complete list, someone will come along and provide you with heaps of reasons as to why their request is legit (and it usually is!) What you can control completely is the services you offer and on what ports, therefore inbound firewalls make sense. That's not to say we don't use outbound firewalls at all, we do - as a policy measure. Outbound port 25 is blocked so that people will use my relays instead. I trust them to play nice, they trust me to keep the service up. For us, this works well. But as a security measure the entire model falls apart as soon as someone with a clue comes along. I have this game I play with our firewall/security people where I get to look smug. Tool of choice? ssh The security benefits from outbound connections to my mind are: warm-and-fuzzy security cover-your-ass security just-do-whatever-the-damn-auditor-says-so-he-can-stfu security i-don't-know-what-i'm-doing security but almost never real security. That's better done with permanent ACLs on the routers. -- alan dot mckinnon at gmail dot com