From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Qv6tw-0004YC-O0 for garchives@archives.gentoo.org; Sun, 21 Aug 2011 12:13:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2E37221C231; Sun, 21 Aug 2011 12:13:03 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 5A18821C1F1 for ; Sun, 21 Aug 2011 12:11:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id CB4201B4016 for ; Sun, 21 Aug 2011 12:11:11 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Score: -4.819 X-Spam-Level: X-Spam-Status: No, score=-4.819 required=5.5 tests=[AWL=1.780, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXHysoBsDeZb for ; Sun, 21 Aug 2011 12:11:05 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by smtp.gentoo.org (Postfix) with ESMTP id 1BA911B4012 for ; Sun, 21 Aug 2011 12:11:04 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Qv6rj-0007vO-AU for gentoo-user@gentoo.org; Sun, 21 Aug 2011 14:10:59 +0200 Received: from rrcs-71-40-157-251.se.biz.rr.com ([71.40.157.251]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 21 Aug 2011 14:10:59 +0200 Received: from wireless by rrcs-71-40-157-251.se.biz.rr.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 21 Aug 2011 14:10:59 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: Do you block outbound ports? Date: Sun, 21 Aug 2011 12:10:46 +0000 (UTC) Message-ID: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 71.40.157.251 (Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110804 Firefox/5.0 SeaMonkey/2.2) X-Archives-Salt: X-Archives-Hash: e9875a2782b1cc736ff97096a7b87006 Grant gmail.com> writes: > Do you block outbound ports > with a firewall or only inbound? Logging outbound traffic, and then looking at (analyzing) the outbound traffic may be of interest to you. Two extremes are wildly unpredictable: human imaginations in a collective where outbound traffic policy is constantly morphing; like a collection of young computer scientist at your local university. Like Alan alluded to, a basic nightmare of intellectual argument as to monitoring or blocking outbound traffic. In the case where the services utilized are more consistent in a pattern that is some what consistent over time. For example a network full of machines (literally machines for physical process control) or servers offering limited fixed services, then blocking outbound traffic (that should not nor never exist) could make sense. In a complex network, this may mean several different firewalls with different policies on outbound traffic. The later network may be a candidate for extensive monitoring, pattern detection and profiling of outbound traffic; with subsequent port blocking. If it's not used, block it, some would say. Whether its is more work than of value, can only be decided by the logs and the policy requirements of that network's owner. hth, James