Be aware that many modern apps (e.g. P2P, IM, etc.) try fairly hard to find
some way out; many (most?) of them are able to tunnel across HTTP/HTTPS.
In short, while the rules William lists are good, solid rules, they won't
stop P2P or IM.
On Mar 31, 2005 1:02 PM, William Arlofski <waa dash m0n0wall at revpol dot com> wrote:
> Don Munyak wrote:
> > What types of traffic are you blocking from a business perspective ? I
> > am just curious about what traffic I might want to block in the LAN
> > outbound direction..ie P2P, IM, 445 ports.
> When I set up a firewall for my clients, ALL outbound traffic is blocked
> to start with. Then, individual ports are opened for specific, required
> services, but usually only to specific external servers providing the
> Outbound port 80 and 443 are opened for all clients for web browsing,
> unless a proxy/caching server is installed at which time, those ports
> are opened only for the cache server. Then, all client web-browsing
> requests must pass through the proxy/caching server. Saves bandwidth and
> provides logging, content filtering and auditing capabilities.
> Outbound FTP is opened when/if the client needs it. Same as above if a
> cache server is on-site.
> Outbound port 25 is allowed ONLY for the internal email server. All
> internal clients are set to use internal email server for sending email.
> If there is no internal email server, then outbound port 25 is allowed
> for internal clients, but only to their ISP's email server. This helps
> to mitigate zombie spam machines from spewing out their crap without it
> being logged locally or at the upstream ISP.
> Port 110/143 is only opened to their own, company run or
> company-approved email server. Generally email on these servers has been
> virus-scanned and/or filtered through RBLs and/or Spamassassin/Razor.
> (oh and Outlook is discouraged whenever possible)
> Services like NTP, and DNS are opened ONLY for their internal NTP and
> DNS server(s). All clients are configured to use the internal servers
> for these services.
> Then, as needs arise (like sites that run web servers on NON-standard
> ports) ports are opened as required.
> Paranoid? You bet.
> YMMV, but my clients are normally happy with these type of restrictions,
> and actually never really even notice them since all services still work
> as needed/expected. Plus with outbound blocking of all but necessary
> services, they are being "good netizens" as well.
> Hope this helps.
> Bill Arlofski
> waa dash m0n0wall at revpol dot com
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch