For security, that is the short answer. E.x. allow only X in is great
for keeping people out of your network, except for resources you wish to
provide. Setting out rules is great to limit your internal users or
machines. Here are some fun outbound rules that will save you a lot of
1.) Block TCP 6666 and 6667 except for those machines that you actually
use IRC with, now you just prevented many worms from sending data to IRC
bots if they end up being infected.
2.) Block IM systems, because you don't want people using IM while on
3.) Block P2P outbound ports, now we lower our liability on getting sued
as a buisness as we performed due diligence on preventing P2P... yes
someone can get around it, but we can show in court we did something to
prevent it. (This is the same as yrou H/R department having a policy on
porn and other such items in the workplace, yes I can still have it..
but the company has protected itself from a civil suit as they can point
to the rule and say "well we tried to provent it, he broke the rules.")
4.) block all but TCP high ports, this is often used to limit what
people can do. Where I work we are so specific that this rule is
forbidden and we outline exactly what high ports can be used, and at
what times of the day. E.g. you can only play "Everquest" from 5pm -
6am, so work during the work day.
blocking / restricting outbound ports is like 80% of good security on a
network once you pass the basic stuff.
You might also have items like the following:
Outbound port 22 is only allowed from hosts X,Y, and Z.
Outbound port 80 is only allowed from the following IP block, now my
application servers (on a different block) do not have the ability to
download from HTTP.. this is a good thing. It is more admin, but MUCH
Scott Ullrich wrote:
>On Thu, 31 Mar 2005 20:30:36 +0200, marijan <mjakara at xnet dot hr> wrote:
>>I need out filter desperatly !!!
>Why do you need the out direction? m0n0wall uses ipfilter which uses
>stateful connections. Once the packets are permitted (in) on an
>interface it will automatically be permitted to exit out the
>destination interface (wan for example).
>To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch