[ previous ] [ next ] [ threads ]
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  waa dash m0n0wall at revpol dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Blocking outbound traffic - concessus
 Date:  Thu, 31 Mar 2005 13:49:43 -0500
Bill...Thanks a bunch.

Looks Like I need to do some tweaking.

- Don

On Thu, 31 Mar 2005 13:02:42 -0500, William Arlofski
<waa dash m0n0wall at revpol dot com> wrote:
> Don Munyak wrote:
> > What types of traffic are you blocking from a business perspective ? I
> > am just curious about what traffic I might want to block in the LAN
> > outbound direction..ie P2P, IM, 445 ports.
> When I set up a firewall for my clients, ALL outbound traffic is blocked
> to start with. Then, individual ports are opened for specific, required
> services, but usually only to specific external servers providing the
> service.
> Outbound port 80 and 443 are opened for all clients for web browsing,
> unless a proxy/caching server is installed at which time, those ports
> are opened only for the cache server.  Then, all client web-browsing
> requests must pass through the proxy/caching server. Saves bandwidth and
> provides logging, content filtering and auditing capabilities.
> Outbound FTP is opened when/if the client needs it. Same as above if a
> cache server is on-site.
> Outbound port 25 is allowed ONLY for the internal email server. All
> internal clients are set to use internal email server for sending email.
> If there is no internal email server, then outbound port 25 is allowed
> for internal clients, but only to their ISP's email server. This helps
> to mitigate zombie spam machines from spewing out their crap without it
> being logged locally or at the upstream ISP.
> Port 110/143 is only opened to their own, company run or
> company-approved email server. Generally email on these servers has been
> virus-scanned and/or filtered through RBLs and/or Spamassassin/Razor.
> (oh and Outlook is discouraged whenever possible)
> Services like NTP, and DNS are opened ONLY for their internal NTP and
> DNS server(s). All clients are configured to use the internal servers
> for these services.
> Then, as needs arise (like sites that run web servers on NON-standard
> ports) ports are opened as required.
> Paranoid? You bet.
> YMMV, but my clients are normally happy with these type of restrictions,
> and actually never really even notice them since all services still work
> as needed/expected. Plus with outbound blocking of all but necessary
> services, they are being "good netizens" as well.
> Hope this helps.
> -
> Bill Arlofski
> waa dash m0n0wall at revpol dot com