Don Munyak wrote:
> What types of traffic are you blocking from a business perspective ? I
> am just curious about what traffic I might want to block in the LAN
> outbound direction..ie P2P, IM, 445 ports.
When I set up a firewall for my clients, ALL outbound traffic is blocked
to start with. Then, individual ports are opened for specific, required
services, but usually only to specific external servers providing the
Outbound port 80 and 443 are opened for all clients for web browsing,
unless a proxy/caching server is installed at which time, those ports
are opened only for the cache server. Then, all client web-browsing
requests must pass through the proxy/caching server. Saves bandwidth and
provides logging, content filtering and auditing capabilities.
Outbound FTP is opened when/if the client needs it. Same as above if a
cache server is on-site.
Outbound port 25 is allowed ONLY for the internal email server. All
internal clients are set to use internal email server for sending email.
If there is no internal email server, then outbound port 25 is allowed
for internal clients, but only to their ISP's email server. This helps
to mitigate zombie spam machines from spewing out their crap without it
being logged locally or at the upstream ISP.
Port 110/143 is only opened to their own, company run or
company-approved email server. Generally email on these servers has been
virus-scanned and/or filtered through RBLs and/or Spamassassin/Razor.
(oh and Outlook is discouraged whenever possible)
Services like NTP, and DNS are opened ONLY for their internal NTP and
DNS server(s). All clients are configured to use the internal servers
for these services.
Then, as needs arise (like sites that run web servers on NON-standard
ports) ports are opened as required.
Paranoid? You bet.
YMMV, but my clients are normally happy with these type of restrictions,
and actually never really even notice them since all services still work
as needed/expected. Plus with outbound blocking of all but necessary
services, they are being "good netizens" as well.
Hope this helps.
waa dash m0n0wall at revpol dot com