Date: Wed, 10 May 2006 20:56:15 -0500 From: pauls@utdallas.edu To: freebsd-questions@freebsd.org Subject: Re: Is it recommended to allow all outgoing connections from your firewall?? Message-ID: <6B0EC275D1AE8D66D26A2093@paul-schmehls-powerbook59.local> In-Reply-To: <20060511012211.12062.qmail@web51610.mail.yahoo.com> References: <20060511012211.12062.qmail@web51610.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========00492A532B22D0C1F702========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez <jay2xra@yahoo.com>=20 wrote: > > I've seen most people allow all outgoing traffic > originating from the firewall itself... Is this really > recommended?? What if the machine have been > compromised and the intruder have installed a program > that let's him access the machine remotely by having > the program itself to initiate the outgoing connection > to him thus defying the incoming connection firewall > ruleset... > Because if the machine has been compromised, it doesn't *matter* what the=20 outgoing ruleset is. Or what anything else is, for that matter. If I hack your box, one of the first things I'm going to do is install a=20 rootkit. Then I'm going to wipe the logs of any evidence of my entry (but=20 leave them intact otherwise), clean my tracks from the shell history file=20 and remove any other evidence of my presence. "Bypassing" your firewall=20 rules is the least of my worries. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========00492A532B22D0C1F702==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6B0EC275D1AE8D66D26A2093>