From owner-freebsd-security Wed Jan 9 9:59:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 5E0B337B41B for ; Wed, 9 Jan 2002 09:59:52 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 4A3281DA7; Wed, 9 Jan 2002 18:59:53 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g09HxUk01607; Wed, 9 Jan 2002 18:59:30 +0100 Date: Wed, 9 Jan 2002 18:59:30 +0100 From: Krzysztof Zaraska To: "Marcel Dijk" Cc: freebsd-security@freebsd.org Subject: Re: allowing outbound connections Message-Id: <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <023701c198ae$0286ba80$0200a8c0@testuser> References: <023701c198ae$0286ba80$0200a8c0@testuser> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Jan 2002 02:36:01 +0100 Marcel Dijk wrote: > Hello, > > Is it (very) dangerous to allow all outgoing connections? I have IPFW running wich ristricts what is going into the server/LAN from the internet. But it does not restrict what is going to the internet from within my LAN. > > Is this potentially dangerous, with regards to virussus (or virri?) and trojans? Some my thoughts on this problem... I think that it depends on the security level that you want. Most attacks are stopped by filtering inbound connections. Trojans are normally remote-administration servers installed on your machine, so attacker must connect to your machine in order to profit from them. The problem with outbound connections is that it may be impossible to determine which connections are legitimate. I think that it would be better to set up some kind of content filtering / proxying firewall on the perimeter. This can detect *incoming* trojans and viruses (e.g. sent by e-mail to your user) or violations of your local policy (e.g. downloading porn). Of course, this should be accompanied by appropriate outbound filtering -- e.g. if you decide to run a Web proxy you must have appropriate firewall rules in place to force your internal users to use this proxy. What you can also do with outbound filtering is to protect the rest of the world from being attacked from your network (or, at least, make such attack more difficult) in case some machine inside is compromised or some user inside has hostile intentions. In this case you should consider the following: * don't let spoofed packets out of your network. This should be a _must_. If all the border routers had this enabled there'd be less problem with DDoS attacks. * you may block outbound packets to private networks (10.0.0.0/24, 192.168.0.0/16, etc.) * you could block access to ports 137/139 on remote machines so no one from inside can try to compromise a misconfigured Windows host. Note that this traffic is often generated under normal conditions but blocking it does not break anything IIRC. * you could try blocking access to 'weird' post numbers but this may be an overkill and block some legitimate traffic. This depends mostly on what your users are allowed to do. E.g. if you don't want them to send mail via remote servers you could block access to port 25 on remote machines etc. If someone thinks I'm wrong please correct me. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message