From owner-freebsd-questions@FreeBSD.ORG Thu May 11 01:55:54 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9528216A401 for ; Thu, 11 May 2006 01:55:54 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 447CC43D45 for ; Thu, 11 May 2006 01:55:54 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-65-65-211-42.dsl.rcsntx.swbell.net [65.65.211.42]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id 3683E114307 for ; Wed, 10 May 2006 20:50:40 -0500 (CDT) Date: Wed, 10 May 2006 20:56:15 -0500 From: pauls@utdallas.edu To: freebsd-questions@freebsd.org Message-ID: <6B0EC275D1AE8D66D26A2093@paul-schmehls-powerbook59.local> In-Reply-To: <20060511012211.12062.qmail@web51610.mail.yahoo.com> References: <20060511012211.12062.qmail@web51610.mail.yahoo.com> X-Mailer: Mulberry/4.0.0 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========00492A532B22D0C1F702==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Is it recommended to allow all outgoing connections from your firewall?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 01:55:54 -0000 --==========00492A532B22D0C1F702========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez =20 wrote: > > I've seen most people allow all outgoing traffic > originating from the firewall itself... Is this really > recommended?? What if the machine have been > compromised and the intruder have installed a program > that let's him access the machine remotely by having > the program itself to initiate the outgoing connection > to him thus defying the incoming connection firewall > ruleset... > Because if the machine has been compromised, it doesn't *matter* what the=20 outgoing ruleset is. Or what anything else is, for that matter. If I hack your box, one of the first things I'm going to do is install a=20 rootkit. Then I'm going to wipe the logs of any evidence of my entry (but=20 leave them intact otherwise), clean my tracks from the shell history file=20 and remove any other evidence of my presence. "Bypassing" your firewall=20 rules is the least of my worries. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========00492A532B22D0C1F702==========--