RE: home firewall philosophy govering outgoing traffic
>> Yes, having a default DENY on the output chain is a bit more work,
but
>> it also allows you to do a daily audit of possible problems. It all
>> depends on your determined security stance.
>
>A possible compromise would be to have a default ACCEPT rule, but make
>ipcahains (or iptables) log all unusual ports. something like
>
>ipchains -P output ACCEPT
>ipchains -A output -p tcp -d 0.0.0.0/0 80:80 -j RETURN
>ipchains -A output -p tcp -d 0.0.0.0/0 21:21 -j RETURN
>...
>ipchains -A output -d 0.0.0.0/0 -l
>
>this way you will still allow all ports out, but it will log anything
>that you specifically have not specified. If you run logcheck or
>something of the like(recommended) then you will know when something
>strange is happening almost immediately.
would a such logging result in higher load on the machine?
ive have noticed exessive load on one of our routers (zebra/bgp), it has
an load-average of 10 (or more) under DoS-attacks. (or has zebra just a
poor logging system?)
anders gjære
system enginerer
kvalito it
Reply to: