[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: home firewall philosophy govering outgoing traffic

On Friday 15 June 2001 17:56, Eric N. Valor wrote:
> At 07:03 AM 6/15/2001 -0500, Bryan Walton wrote:

> Although a couple of folks have previously advised that a default ACCEPT
> policy on the output chain is "better", I tend to disagree.  Of course,
> it's hard to argue against having a default DENY policy on the
> input/forward chains, but the reason for having that on the output is to
> increase your awareness of anything suspicious going on.  For instance, I
> had a user-administered system sitting outside our firewall come up with an
> IRC robot due to a DNS-based crack.  Of course, port 53 was allowed into
> the system so it could make DNS queries.

A reason to use forwarding and only permit UDP replies from those DNS server 
systems.  A home system is better off, not querying root servers, etc, 
especially if it's on dial up.

>  However, if I'd suddenly seen
> port 6667 traffic trying to leave the system (the usual IRC port) I'd have
> known something funny was going on.  Only after the box was turned into
> skript-kiddie scanner and I received a few polite notifications did I
> realize there was a problem and take steps to rectify.
> Yes, having a default DENY on the output chain is a bit more work, but it
> also allows you to do a daily audit of possible problems.  It all depends
> on your determined security stance.

Hang on, unless I'm missing something here, what does this really buy you?

1) There's default deny on input and forward chain
2) You block incoming tcp connections, except services which you are 
3)  You block udp packets accept DNS, NTP that you need

Real world protocols, to do anything useful, need replies, you are going to 
have to alter input and/or forwarding rules anyway to allow answer packets 
back, for new services.  So your logs ought to show unusual activity on that 
side, responding to the outgoing packets.

Yes a permissive output can allow UDP packets off to a info gathering server. 
 But any attacker could just as easily use a commonly allowed protocol for 
the same purpose eg) 'domain' destination port 53 to look like a DNS query, 
which I would suggest offers much higher probability of success, so what 
extra security are you really gaining here?

For high security of internal machines, using a private network and only 
doing NAT or masquerading on a few protocols, is surely more effective, it 
prevents most direct connections, and enforces use of application level 

So are my assumptions innacurate?   If not what real benefit does a policy of 
deny on the output chain have for a home system (not commercial firewall 


Reply to: