Yes, having a default DENY on the output chain is a bit more work, but it
also allows you to do a daily audit of possible problems. It all depends
on your determined security stance.
A possible compromise would be to have a default ACCEPT rule, but make
ipcahains (or iptables) log all unusual ports. something like
ipchains -P output ACCEPT
ipchains -A output -p tcp -d 0.0.0.0/0 80:80 -j RETURN
ipchains -A output -p tcp -d 0.0.0.0/0 21:21 -j RETURN
...
ipchains -A output -d 0.0.0.0/0 -l
this way you will still allow all ports out, but it will log anything that
you specifically have not specified. If you run logcheck or something of
the like(recommended) then you will know when something strange is
happening almost immediately.
-mike
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org