[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: home firewall philosophy govering outgoing traffic

On Sun, Jun 17, 2001 at 10:38:30AM +0100, Robert Davies wrote:
> But can't they just try to use a connection which you permit, to port 80
> for 
> instance to make it look like HTTP, or use DNS port 53.  I think you're 
> 'hoping' they'll use a non-stealthy port, like an IRC DCC connection on the
> default port for controlling something like an eggdrop bot, on ports you 
> don't usually use.
> What you're really showing here is that allowing Masquerading or Forwarding
> (if you use assigned IPs, rather than private) and relying on packet 
> filtering is less secure than not permitting it at all, and using an 
> applicaton gateway eg) proxy.

Off course they can use an allowed port, and blocking all but a few outgoing
ports wouldn't help you there.

But equally as they (usually) use IRC now, they could use HTTP to get things
done. Your application aware proxy wouldn't buy you anything, it would just
let things go through. (If I were to write a bot, I *would* use HTTP and/or
HTTPS - these ports are nearly never blocked; the only reason why people
currently don't is because it's probably just a lot easier to program an irc



"From a security perspective, Bluetooth is a disaster waiting to happen."
	-- Martin Reynolds

Attachment: pgpRRUWDQQa74.pgp
Description: PGP signature

Reply to: