[ previous ] [ next ] [ threads ]
 
 From:  "MN" <mnelson at nels dash sec dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Would like to filter outbound traffic for corporate security purposes but my rules don't seem to work
 Date:  Fri, 11 Nov 2005 21:10:41 -0600
Outbound filtering isn't a stupid thing to do. It's adding another layer to
the D in Depth.  However, unless you have a pretty static enviroment, you
will be maintaining rules quite a bit.  Looks like your services are basic
so it shouldn't be a big issue tightening up the outbound filtering.

-----Original Message-----
From: Jason Collins [mailto:jason at mammothcomputers dot com] 
Sent: Friday, November 11, 2005 8:54 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Would like to filter outbound traffic for corporate
security purposes but my rules don't seem to work

Hi, I can't believe no one has asked this question previously, but I"ve done
a dilligent search to no avail.  There are some posts saying that they need
outbound filtering, but it seems to me that it is already present in the LAN
side of the Firewall rules.  I added rules to pass DNS, HTTP, HTTPS, etc...
to the lan firewall rules and disabled the default outbound rule permitting
all traffic.  Once I applied the new settings, all traffic out ceased, even
on ports I had specifically enabled.  Is there something I'm missing here?
I based this off of similar configs I've done on Watchguard boxes so I
thought it would be a piece of cake, but I feel like a total noob.  Will
post my relevant status.php info if needed or desired.  Many thanks,
 
Jason M. Collins
 
p.s. to those wanting to know why I would want to do such a thing, it is the
will of my client after one of his users' workstations became infected with
a virus, sent out infected pornography to everyone in the address book,
clogged mailboxes for hundreds of people, and crashed two corporate
mailservers. So, he wants only necessary services to be available from here
on out.  As it's his servers, bandwidth, and PCs, I think he has every right
to make it so.  Thanks again,
 
Jason