Re: home firewall philosophy govering outgoing traffic

To: Bryan Walton <walton@berbee.com>, debian-firewall@lists.debian.org
Subject: Re: home firewall philosophy govering outgoing traffic
From: Robert Davies <Rob_Davies@ntlworld.com>
Date: Fri, 15 Jun 2001 13:22:46 +0100
Message-id: <01061513224603.00768@linux>
In-reply-to: <20010615070305.A7458@berbee.com>
References: <20010615070305.A7458@berbee.com>

On Friday 15 June 2001 13:03, Bryan Walton wrote:

> 2) More to the point, Ziegler suggests setting the input, output, and
> forward default policies to DENY and then decide what to allow through.  It
> has dawned on me that I can make my rules MUCH simpler by setting the
> output chain's default policy to ACCEPT

I think you're right.  DENY is best policy on input and forward however.  I 
imagine the book has firewalling a commercial environment where control 
freakery means the services folk are allowed to connect to is restricted to 
http, smtp, domain etc.

You would have to allow output to tcp unprivelleged ports, if you were 
serving anything!

> and remove all of the output rules
> from the script since philosophically I don't have any interest or
> desire to limit what my family members do on the net.  As long as I
> filter out incoming traffic that I deem dangerous, is there anything to
> fear from having the output default policy set to ACCEPT?  Or am I missing
> something obvious?

Well X, is often used by crackers to give them a shell terminal window on a 
target victim host.

So it may be wise to block outgoing ports 6000:6010.

Rob

Reply to:

References:
- home firewall philosophy govering outgoing traffic
  - From: Bryan Walton <walton@berbee.com>

Prev by Date: home firewall philosophy govering outgoing traffic
Next by Date: Re: home firewall philosophy govering outgoing traffic
Previous by thread: home firewall philosophy govering outgoing traffic
Next by thread: Re: home firewall philosophy govering outgoing traffic
Index(es):
- Date
- Thread