Re: could you give any idea for my firewall script?

To: debian-firewall@lists.debian.org
Subject: Re: could you give any idea for my firewall script?
From: celejar <celejar@gmail.com>
Date: Wed, 8 Jun 2005 09:34:13 -0400
Message-id: <[🔎] e8ed64d10506080634310e94cd@mail.gmail.com>
Reply-to: celejar <celejar@gmail.com>
In-reply-to: <[🔎] 42A6D2FC.7000402@gear.dyndns.org>
References: <[🔎] 20050608032751.45408.qmail@web42104.mail.yahoo.com> <[🔎] 42A6D2FC.7000402@gear.dyndns.org>

I think that the reason linux firewalls allow outbound traffic by
default (unlike windows firewalls which are often configured by
default to block it) is that it's futile to try to suppress malware
that way since clever enough malware can always communicate through an
open port (e.g. HTTP - port 80). Windows firewalls sometimes block by
application, but malware can sometimes piggyback on an allowed app,
hence the abundance of leak testers for windows firewalls. I may be
completely wrong about this, though, so I'd be interested in any
enlightenment on these issues. Does linux have a firewall or related
piece of software that blocks traffic by app?

On 6/8/05, Paul Gear <paul@gear.dyndns.org> wrote:
> yuri wrote:
> > Hi all,
> >
> > I'm makara, a student from Cambodia.I saw a lot of
> > samples about iptables most of these samples not
> > specific OUTPUT, and a little accept all OUTPUT by
> > default. Could you tell me why?(I think OUTPUT is the
> > most importance part. It protect the viruses send
> > something from LAN to external). And hope you give me
> > any idea from my firewall script if possible I hope
> > you tell me what line I shouldn't use, why and what
> > should I use. Thanks for advance. I'm new in Linux and
> > sorry for my english. :(
> 
> If you're new to Linux, start with a higher level tool, like shorewall
> or one of the user-level firewalls.  They generate the rules for you,
> and you are less likely to make silly scripting mistakes.
> 
> I think you and Ansgar are talking about different things: you're
> talking about the output chain, which is output from the firewall
> itself, and he's talking about forwarding traffic out from the LAN.  I
> think both need to be blocked.  The firewall, because it's got no
> business initiating outgoing traffic (with certain exceptions like
> obtaining patches or NTP), and the clients, because they should be going
> via a proxy.  I run a school network with about 400 nodes (excluding
> printers), and i would never allow the machines direct access to the
> Internet.
> 
> --
> Paul
> <http://paulgear.webhop.net>
> --
> Did you know?  Email is not private and can be viewed by your ISP, the
> recipient's ISP, and possibly other parties.  You can make sure your
> emails are private by using GNU Privacy Guard <http://www.gnupg.org> and
> an email plug-in like Enigmail <http://enigmail.mozdev.org>.
> 
> 
>

Reply to:

Follow-Ups:
- Re: could you give any idea for my firewall script?
  - From: Yitzhak Grossman <celejar@gmail.com>

References:
- could you give any idea for my firewall script?
  - From: yuri <kingofyuri@yahoo.com>
- Re: could you give any idea for my firewall script?
  - From: Paul Gear <paul@gear.dyndns.org>

Prev by Date: Re: could you give any idea for my firewall script?
Next by Date: Re: could you give any idea for my firewall script?
Previous by thread: Re: could you give any idea for my firewall script?
Next by thread: Re: could you give any idea for my firewall script?
Index(es):
- Date
- Thread