[ previous ] [ next ] [ threads ]
 From:  "Klaus Stock" <ks at stock dash consulting dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] LAN rule suggestions
 Date:  Wed, 04 Apr 2007 13:43:38 +0200
> The default LAN setting is working but it allows everything to exit the
> firewall.  Several articles I've read suggest restricting outgoing packets
> from the LAN to prevent viruses and such from contacting their mothership.
> My LAN has a mix of Linux and Windows boxen.  Any suggestions/examples of
> LAN rulesets?  Any popular ports used by viruses to close?
> I didn't see a FAQ article covering this.

That's so easy that it does not need a FAQ article :-)

Close everything and wait for the users to yell. Act accordingly.

If the only acceptable mail server lives in the DMZ everything is okay.
Otherwise, you'll need to allow access to the IP address of the allowed
external POP3/IMAP/SMTP server. Do *NOT* allow SMTP access to any address,
as malware likes to abuse this.

Port 80 is bad, very bad. This is the easiest way for spyware to "phone
home", especially if the traffic is disguised as HTTP. If you *really* want
a 100% waterproof system, do not listen to your user's yell this time. They
only want to surf to pr0n sites anyway. :-)

UDP may also be a logical choice to block. That way you'll eliminiate UDP
hole punching (and also file sharing software which uses UDP hole punching -
yup, Skype *does* include such "suspicious" software!).

Unfortunately, by now you'll need a couple of bodyguards when ever you get
close to your users. With port 80 blocked, they cannot even use a HTTP
tunneling software to circumvent your measures! Unless you opened some ports
for e-mail access WITHOUT specifiying allowed server addresses - then they
could tunnel HTTP via the POP3 or IMAP ports. Bad, bad users! They will
great lengths to be able to access their beloved, virus-infested pr0n or
warez sites again!

You may consider to allow for SLL, though, so your users are not cut off

So, the more user-friendly ways could be:
- Block everything, except web browsing/e-mail and allowed applications.
- Alternatively, allow everything, except known application which should be
kept "locked in", like database engines which run in the LAN. Note that this
will provide almost no security (except, perhaps, aginst the Slammer worm).

Best regard, Klaus
This mail sent using V-webmail - http://www.v-webmail.orgg