Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Jan 2002 18:59:30 +0100
From:      Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To:        "Marcel Dijk" <nascar24@home.nl>
Cc:        freebsd-security@freebsd.org
Subject:   Re: allowing outbound connections
Message-ID:  <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl>
In-Reply-To: <023701c198ae$0286ba80$0200a8c0@testuser>
References:  <023701c198ae$0286ba80$0200a8c0@testuser>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Jan 2002 02:36:01 +0100 Marcel Dijk wrote:

> Hello,
> 
> Is it (very) dangerous to allow all outgoing connections? I have IPFW
running wich ristricts what is going into the server/LAN from the
internet. But it does not restrict what is going to the internet from
within my LAN.
> 
> Is this potentially dangerous, with regards to virussus (or virri?) and
trojans?

Some my thoughts on this problem...

I think that it depends on the security level that you want. Most attacks
are stopped by filtering inbound connections. Trojans are normally
remote-administration servers installed on your machine, so attacker must
connect to your machine in order to profit from them. 

The problem with outbound connections is that it may be impossible to
determine which connections are legitimate. I think that it would be
better to set up some kind of content filtering / proxying firewall on the
perimeter. This can detect *incoming* trojans and viruses (e.g. sent by
e-mail to your user) or violations of your local policy (e.g. downloading
porn). Of course, this should be accompanied by appropriate outbound
filtering -- e.g. if you decide to run a Web proxy you must have
appropriate firewall rules in place to force your internal users to use
this proxy. 

What you can also do with outbound filtering is to protect the rest of the
world from being attacked from your network (or, at least, make such
attack more difficult) in case some machine inside is compromised or some
user inside has hostile intentions. In this case you should consider the
following: 

* don't let spoofed packets out of your network. This should be a _must_.
If all the border routers had this enabled there'd be less problem with
DDoS attacks. 

* you may block outbound packets to private networks (10.0.0.0/24,
192.168.0.0/16, etc.)

* you could block access to ports 137/139 on remote machines so no one
from inside can try to compromise a misconfigured Windows host. Note that
this traffic is often generated under normal conditions but blocking it
does not break anything IIRC. 

* you could try blocking access to 'weird' post numbers but this may be an
overkill and block some legitimate traffic. This depends mostly on what
your users are allowed to do. E.g. if you don't want them to send mail via
remote servers you could block access to port 25 on remote machines etc.

If someone thinks I'm wrong please correct me. 

Regards,
Krzysztof

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020109185930.51eacdc4.kzaraska>