From owner-freebsd-questions@FreeBSD.ORG  Thu May 11 11:28:05 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 11BB616A405
	for <freebsd-questions@freebsd.org>;
	Thu, 11 May 2006 11:28:05 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A977B43D48
	for <freebsd-questions@freebsd.org>;
	Thu, 11 May 2006 11:28:04 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id E57F85E22;
	Thu, 11 May 2006 07:28:03 -0400 (EDT)
X-Virus-Scanned: amavisd-new at codefab.com
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XTuL6Oe3ipSs; Thu, 11 May 2006 07:28:03 -0400 (EDT)
Received: from [192.168.1.251] (pool-68-160-235-217.ny325.east.verizon.net
	[68.160.235.217])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pi.codefab.com (Postfix) with ESMTP id D26BB5C44;
	Thu, 11 May 2006 07:28:02 -0400 (EDT)
Message-ID: <44631FC1.4020603@mac.com>
Date: Thu, 11 May 2006 07:28:01 -0400
From: Chuck Swiger <cswiger@mac.com>
User-Agent: Thunderbird 1.5.0.2 (Windows/20060308)
MIME-Version: 1.0
To: Mark Jayson Alvarez <jay2xra@yahoo.com>
References: <20060511012211.12062.qmail@web51610.mail.yahoo.com>
In-Reply-To: <20060511012211.12062.qmail@web51610.mail.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: Is it recommended to allow all outgoing connections from your
 firewall??
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2006 11:28:05 -0000

Mark Jayson Alvarez wrote:
> I've seen most people allow all outgoing traffic
> originating from the firewall itself... Is this really
> recommended?? 
>   
No.  It's highly desirable to perform egress filtering if possible, but 
many people lack the time or the detailed knowledge to determine what 
outbound ports that they really need to use.  Simply blocking port 6667 
can provide a lot of protection against botnets because ICC is so 
commonly used as the control channel.

[ RFC-2196 recommends doing outbound packet-filtering. ]

-- 
-Chuck