From owner-freebsd-questions@FreeBSD.ORG  Tue May 16 22:34:34 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C39316A6E6
	for <freebsd-questions@freebsd.org>;
	Tue, 16 May 2006 22:34:34 +0000 (UTC)
	(envelope-from hackmiester@hackmiester.com)
Received: from smtpout07-04.prod.mesa1.secureserver.net
	(smtpout07-01.prod.mesa1.secureserver.net [64.202.165.230])
	by mx1.FreeBSD.org (Postfix) with SMTP id 0BDA743D46
	for <freebsd-questions@freebsd.org>;
	Tue, 16 May 2006 22:34:33 +0000 (GMT)
	(envelope-from hackmiester@hackmiester.com)
Received: (qmail 29490 invoked from network); 16 May 2006 22:34:33 -0000
Received: from unknown (65.0.171.101)
	by smtpout07-04.prod.mesa1.secureserver.net (64.202.165.233) with ESMTP;
	16 May 2006 22:34:29 -0000
In-Reply-To: <6B0EC275D1AE8D66D26A2093@paul-schmehls-powerbook59.local>
References: <20060511012211.12062.qmail@web51610.mail.yahoo.com>
	<6B0EC275D1AE8D66D26A2093@paul-schmehls-powerbook59.local>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <637FEE6F-1603-4187-BC6A-B351666ABBE3@hackmiester.com>
Content-Transfer-Encoding: 7bit
From: Hunter Fuller <hackmiester@hackmiester.com>
Date: Tue, 16 May 2006 17:34:58 +0000
To: pauls@utdallas.edu
X-Mailer: Apple Mail (2.746.2)
Cc: freebsd-questions@freebsd.org
Subject: Re: Is it recommended to allow all outgoing connections from your
	firewall??
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2006 22:34:36 -0000


On  11 May 2006, at 1:56 AM, pauls@utdallas.edu wrote:

> --On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez  
> <jay2xra@yahoo.com> wrote:
> Because if the machine has been compromised, it doesn't *matter*  
> what the outgoing ruleset is.  Or what anything else is, for that  
> matter.
What if you're not in, but you can initiate an outgoing connection?  
 From a buggy PHP script on a web server for example?
>
> If I hack your box, one of the first things I'm going to do is  
> install a rootkit.  Then I'm going to wipe the logs of any evidence  
> of my entry (but leave them intact otherwise), clean my tracks from  
> the shell history file and remove any other evidence of my  
> presence.  "Bypassing" your firewall rules is the least of my worries.
>
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/