From owner-freebsd-security Thu Jan 10 3:47:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id EAB9137B405 for ; Thu, 10 Jan 2002 03:47:26 -0800 (PST) To: freebsd-security@freebsd.org Subject: Re: allowing outbound connections References: <023701c198ae$0286ba80$0200a8c0@testuser> <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl> From: Dan Pelleg Date: 10 Jan 2002 06:47:22 -0500 In-Reply-To: <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl> Message-ID: Lines: 30 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Krzysztof Zaraska writes: > On Wed, 9 Jan 2002 02:36:01 +0100 Marcel Dijk wrote: > > > Hello, > > > > Is it (very) dangerous to allow all outgoing connections? I have IPFW > running wich ristricts what is going into the server/LAN from the > internet. But it does not restrict what is going to the internet from > within my LAN. > > > What you can also do with outbound filtering is to protect the rest of the > world from being attacked from your network (or, at least, make such > attack more difficult) in case some machine inside is compromised or some > user inside has hostile intentions. In this case you should consider the > following: > [snip] I'd like to add another suggestion: * rate-limit the number of outgoing connections. For example, don't let a single internal host have too many open connections to port 80 on external hosts. Such a rule would limit the effectiveness of Nimda-like worms. The new ipfw "limit" rules make this possible. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message