Re: [m0n0wall] IDS or log watching utilities

From:	William Arlofski <waa dash m0n0wall at revpol dot com>
To:	Jeffrey Goldberg <jeffrey at goldmark dot org>
Cc:	Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] IDS or log watching utilities
Date:	Thu, 07 Oct 2004 12:29:25 -0400

Jeffrey Goldberg wrote:
> Hello,
--[snip]--
> Also, is there some set of rules that people recommend for being a "good 
> network citizen"?  That is, what should I try to prevent from leaving my 
> network?

Hi Jeffery... My recommendation is to set up the firewall to ONLY allow 
out what you require, and nothing else.

80 http (usually required)
443 https (usually required)
110 pop3 (sometimes required)
995 pop3s	"
443 imap	"
993 imaps	"
...and then any other ports you specifically require. I am so paranoid 
that I even limit things like pop/imap/smtp to specific known servers - 
and only from specific internal hosts. For example, if _you_ need IRC 
access to talk to us in #m0n0wall, then allow your machine access to a 
short list of irc servers rather than allowing IRC access out, which 
would open your network up to infected/owned Windows machines being 
remotely controlled.

Then block & log everything else to a remote syslog server where you can 
use a program to watch the log and alert you via email/pager etc. Just 
make sure you tweak the monitoring software so that you are not getting 
1,000 emails or pagers per hour. :)

One comment though, I usually block/drop and don't log Microsoft 
networking packets, as they are so prominent...

Just my 2 paranoid cents.

- -
Bill Arlofski
waa dash m0n0wall at revpol dot com