[ previous ] [ next ] [ threads ]
 
 From:  William Arlofski <waa dash m0n0wall at revpol dot com>
 To:  Claude Morin <klodefactor at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Blocking outbound traffic - concessus
 Date:  Thu, 31 Mar 2005 15:14:10 -0500
Claude Morin wrote:
> Be aware that many modern apps (e.g. P2P, IM, etc.) try fairly hard to find 
> some way out; many (most?) of them are able to tunnel across HTTP/HTTPS.
> 
> In short, while the rules William lists are good, solid rules, they won't 
> stop P2P or IM.
> 
> -klode


You are absolutely correct. This is the reason I often recommend a proxy
server.  The combination of squid (http://squid-cache.org) and Dan's
Guardian (http://www.dansguardian.org) and a strict set of rules to only
allow port 80/443 traffic from the proxy server allows for
filtering,blocking etc via Dan's Guardian. :)

It seems these days all these apps are set to fall back to just about
any port (TCP or UDP) when their primary port is blocked. Even seen some
use port 53/UDP.

BTW (for the original poster)  Blocking everything also stops
viruses/wrms/trojans from opening back-doors to IRC channels etc...

I say block it all, and be careful what you allow out. Sad to say, but
you need to treat your internal (trusted??) machines as the enemy as
much or more so than the external Internet at large. :)

-
Bill Arlofski
waa dash m0n0wall at revpol dot com