[ previous ] [ next ] [ threads ]
 From:  Falcor <falcor at netassassin dot com>
 To:  Scott Ullrich <sullrich at gmail dot com>
 Cc:  marijan <mjakara at xnet dot hr>, Monowall Develop <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] why only 'IN' firewall rules?
 Date:  Thu, 31 Mar 2005 13:12:14 -0600
For security, that is the short answer.  E.x. allow only X in is great 
for keeping people out of your network, except for resources you wish to 
provide.  Setting out rules is great to limit your internal users or 
machines.  Here are some fun outbound rules that will save you a lot of 
hedache later:

1.) Block TCP 6666 and 6667 except for those machines that you actually 
use IRC with, now you just prevented many worms from sending data to IRC 
bots if they end up being infected.
2.) Block IM systems, because you don't want people using IM while on 
your network.
3.) Block P2P outbound ports, now we lower our liability on getting sued 
as a buisness as we performed due diligence on preventing P2P... yes 
someone can get around it, but we can show in court we did something to 
prevent it.  (This is the same as yrou H/R department having a policy on 
porn and other such items in the workplace, yes I can still have it.. 
but the company has protected itself from a civil suit as they can point 
to the rule and say "well we tried to provent it, he broke the rules.")
4.) block all but TCP high ports, this is often used to limit what 
people can do.  Where I work we are so specific that this rule is 
forbidden and we outline exactly what high ports can be used, and at 
what times of the day.  E.g. you can only play "Everquest" from 5pm - 
6am, so work during the work day.

blocking / restricting outbound ports is like 80% of good security on a 
network once you pass the basic stuff.

You might also have items like the following:

Outbound port 22 is only allowed from hosts X,Y, and Z. 
Outbound port 80 is only allowed from the following IP block, now my 
application servers (on a different block) do not have the ability to 
download from HTTP.. this is a good thing.  It is more admin, but MUCH 
better security.

Scott Ullrich wrote:

>On Thu, 31 Mar 2005 20:30:36 +0200, marijan <mjakara at xnet dot hr> wrote:
>>I need out filter desperatly !!!
>Why do you need the out direction?  m0n0wall uses ipfilter which uses
>stateful connections.  Once the packets are permitted (in) on an
>interface it will automatically be permitted to exit out the
>destination interface (wan for example).
>To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch