public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Do you block outbound ports?
@ 2011-08-20 17:38 Grant
  2011-08-20 19:02 ` Alan McKinnon
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Grant @ 2011-08-20 17:38 UTC (permalink / raw
  To: Gentoo mailing list

I like the policy of blocking all ports in and out with a firewall and
only opening the ones you need.  Bittorrent makes that difficult since
it connects out to unpredictable ports.  Do you block outbound ports
with a firewall or only inbound?

- Grant



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] Do you block outbound ports?
  2011-08-20 17:38 [gentoo-user] Do you block outbound ports? Grant
@ 2011-08-20 19:02 ` Alan McKinnon
  2011-08-21  4:31   ` Pandu Poluan
  2011-08-20 19:11 ` [gentoo-user] " Nikos Chantziaras
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 6+ messages in thread
From: Alan McKinnon @ 2011-08-20 19:02 UTC (permalink / raw
  To: gentoo-user

On Sat 20 August 2011 10:38:43 Grant did opine thusly:
> I like the policy of blocking all ports in and out with a firewall
> and only opening the ones you need.  Bittorrent makes that
> difficult since it connects out to unpredictable ports.  Do you
> block outbound ports with a firewall or only inbound?

For the most part only inbound. Blocking outbound is pretty much 
pointless as a security measure.

You cannot control what people will want to connect to outbound. Every 
time you think you have a complete list, someone will come along and 
provide you with heaps of reasons as to why their request is legit 
(and it usually is!)

What you can control completely is the services you offer and on what 
ports, therefore inbound firewalls make sense.

That's not to say we don't use outbound firewalls at all, we do - as a 
policy measure. Outbound port 25 is blocked so that people will use my 
relays instead. I trust them to play nice, they trust me to keep the 
service up. For us, this works well. But as a security measure the 
entire model falls apart as soon as someone with a clue comes along. I 
have this game I play with our firewall/security people where I get to 
look smug. Tool of choice? ssh

The security benefits from outbound connections to my mind are:
warm-and-fuzzy security
cover-your-ass security
just-do-whatever-the-damn-auditor-says-so-he-can-stfu security
i-don't-know-what-i'm-doing security

but almost never real security. That's better done with permanent ACLs 
on the routers.

-- 
alan dot mckinnon at gmail dot com



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-user] Re: Do you block outbound ports?
  2011-08-20 17:38 [gentoo-user] Do you block outbound ports? Grant
  2011-08-20 19:02 ` Alan McKinnon
@ 2011-08-20 19:11 ` Nikos Chantziaras
  2011-08-20 22:41 ` [gentoo-user] " Paul Hartman
  2011-08-21 12:10 ` [gentoo-user] " James
  3 siblings, 0 replies; 6+ messages in thread
From: Nikos Chantziaras @ 2011-08-20 19:11 UTC (permalink / raw
  To: gentoo-user

On 08/20/2011 08:38 PM, Grant wrote:
> I like the policy of blocking all ports in and out with a firewall and
> only opening the ones you need.  Bittorrent makes that difficult since
> it connects out to unpredictable ports.  Do you block outbound ports
> with a firewall or only inbound?

I block neither in nor outbound.  I don't run any kind of firewall 
because its whole point is interfering with network traffic  :-P




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] Do you block outbound ports?
  2011-08-20 17:38 [gentoo-user] Do you block outbound ports? Grant
  2011-08-20 19:02 ` Alan McKinnon
  2011-08-20 19:11 ` [gentoo-user] " Nikos Chantziaras
@ 2011-08-20 22:41 ` Paul Hartman
  2011-08-21 12:10 ` [gentoo-user] " James
  3 siblings, 0 replies; 6+ messages in thread
From: Paul Hartman @ 2011-08-20 22:41 UTC (permalink / raw
  To: gentoo-user

On Sat, Aug 20, 2011 at 12:38 PM, Grant <emailgrant@gmail.com> wrote:
> I like the policy of blocking all ports in and out with a firewall and
> only opening the ones you need.  Bittorrent makes that difficult since
> it connects out to unpredictable ports.  Do you block outbound ports
> with a firewall or only inbound?

I don't block anything outbound, but my ISP does (mostly MS-stuff that
I don't care about). I do, however, occasionally block all outgoing
just to see what the logs show, so I'm aware of what's happening. But
I don't actively monitor that outbound traffic.

I block everything inbound and only open what's specifically needed. I
use denyhosts and fail2ban to block bad guys from all ports.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] Do you block outbound ports?
  2011-08-20 19:02 ` Alan McKinnon
@ 2011-08-21  4:31   ` Pandu Poluan
  0 siblings, 0 replies; 6+ messages in thread
From: Pandu Poluan @ 2011-08-21  4:31 UTC (permalink / raw
  To: gentoo-user

I can feel for 'just-do-whatever-the-damn-auditor-says-so-he-can-stfu' :)

I don't really block incoming traffic; instead, I use the TARPIT
target (xtables-addons) to make the lifes of portscanners suck ;)

Rgds,


On 2011-08-21, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Sat 20 August 2011 10:38:43 Grant did opine thusly:
>> I like the policy of blocking all ports in and out with a firewall
>> and only opening the ones you need.  Bittorrent makes that
>> difficult since it connects out to unpredictable ports.  Do you
>> block outbound ports with a firewall or only inbound?
>
> For the most part only inbound. Blocking outbound is pretty much
> pointless as a security measure.
>
> You cannot control what people will want to connect to outbound. Every
> time you think you have a complete list, someone will come along and
> provide you with heaps of reasons as to why their request is legit
> (and it usually is!)
>
> What you can control completely is the services you offer and on what
> ports, therefore inbound firewalls make sense.
>
> That's not to say we don't use outbound firewalls at all, we do - as a
> policy measure. Outbound port 25 is blocked so that people will use my
> relays instead. I trust them to play nice, they trust me to keep the
> service up. For us, this works well. But as a security measure the
> entire model falls apart as soon as someone with a clue comes along. I
> have this game I play with our firewall/security people where I get to
> look smug. Tool of choice? ssh
>
> The security benefits from outbound connections to my mind are:
> warm-and-fuzzy security
> cover-your-ass security
> just-do-whatever-the-damn-auditor-says-so-he-can-stfu security
> i-don't-know-what-i'm-doing security
>
> but almost never real security. That's better done with permanent ACLs
> on the routers.
>
> --
> alan dot mckinnon at gmail dot com
>
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-user] Re: Do you block outbound ports?
  2011-08-20 17:38 [gentoo-user] Do you block outbound ports? Grant
                   ` (2 preceding siblings ...)
  2011-08-20 22:41 ` [gentoo-user] " Paul Hartman
@ 2011-08-21 12:10 ` James
  3 siblings, 0 replies; 6+ messages in thread
From: James @ 2011-08-21 12:10 UTC (permalink / raw
  To: gentoo-user

Grant <emailgrant <at> gmail.com> writes:

>  Do you block outbound ports
> with a firewall or only inbound?

Logging outbound traffic, and then looking
at (analyzing) the outbound traffic may
be of interest to you. Two extremes
are wildly unpredictable: human imaginations
in a collective where outbound traffic policy
is constantly morphing; like a collection
of young computer scientist at your local 
university. Like Alan alluded to, a basic
nightmare of intellectual argument as to
monitoring or blocking outbound traffic.

In the case where the services utilized
are more consistent in a pattern that is some
what consistent over time. For example a network
full of machines (literally machines for
physical process control) or servers offering limited
fixed services, then blocking outbound traffic 
(that should not nor never exist) could make sense.
In a complex network, this may mean several different
firewalls with different policies on outbound
traffic. 

The later network may be a candidate for 
extensive monitoring, pattern detection and
profiling of outbound traffic; with subsequent
port blocking. If it's not used, block it, some
would say. Whether its is more work than of value,
can only be decided by the logs and the policy
requirements of that network's owner.


hth,
James





^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2011-08-21 12:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-20 17:38 [gentoo-user] Do you block outbound ports? Grant
2011-08-20 19:02 ` Alan McKinnon
2011-08-21  4:31   ` Pandu Poluan
2011-08-20 19:11 ` [gentoo-user] " Nikos Chantziaras
2011-08-20 22:41 ` [gentoo-user] " Paul Hartman
2011-08-21 12:10 ` [gentoo-user] " James

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox