[ previous ] [ next ] [ threads ]
 From:  David Rodgers <david dot rodgers at kdsi dot net>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  Nick Rice <nick at rice1 dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Closing Port 0
 Date:  Wed, 17 Mar 2004 12:32:05 -0600
HERE HERE! If more people understood that there would be a lot less CRAP
floating around the internet. And while we are talking about doing
things correctly......

I have 2 words #####EGRESS FILTERING#####

don't use the default rule that allows all traffic out. Only allow the
traffic that you need to go out of your network out. This isn't a new
concept but one VERY OFTEN overlooked out of laziness.

This will save you and the internet as a whole a lot of wasted bandwidth
and routing time.

An example is I have had two bigger DSL customers that had worms on
their internal network in the last month trying to scan other peoples
networks for common vulnerabilities. In this case it was scanning for
microsoftish 135-139 stuff across pretty much an entire class A network
from top to bottom. When I received the report I shut them off
temporarily until we could find the worm and kill it. 

The problem is that in that time they all but took out a wireless
provider because their radios could not handle the surge of incoming

This could have all been  avoided (and in these cases will prbably never
happen again) with a little egress filtering.

If you know that you only need access to HTTP, HTTPS, FTP, SSH, AIM,
SMTP and POP3 than create rules to allow those services going out and
delete the default rule allowing everything. 

You could take it a step further and if you know that your mail is on a
certain server you like mail.mydomain.com you only allow pop3 and smtp
to THAT mail server.

The same goes for FTP, SSH, etc ... any service that you only connect to
a limited group of hosts for.

Another good example would be if you have a file server that runs on
your internal network that isn't also someones workstation EXPLICITLY
LIMIT access to ANY service on the internet from it using firewall
rules. It's one less potential problem if some idiot couldn't sit down
to your file server and open a web browser and manage to install some
kind of spyware or worse.

This keeps potential problems in your network from affecting your isp
and others on the internet.


On Wed, 2004-03-17 at 10:39, Manuel Kasper wrote:
> On 17.03.2004 23:12 +1000, Nick Rice wrote:
> > Is there any way to close inbound port 0 ??
> Yes. Don't open it up! :)
> Allowing only what you want and denying everything else by default is
> the only right way to do packet filtering. m0n0wall blocks everything
> that isn't explicitly allowed by your ruleset. If at all possible,
> use only pass rules.
> - Manuel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch