[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

On 3 Jul 2005, Steve Kemp wrote:
> On Sat, Jul 02, 2005 at 04:46:29PM -0400, KC wrote:


> One thing did stand out though, you don't allow outgoing connections
> generally.  These lines:
>> iptables --policy OUTPUT DROP
>> iptables -t nat --policy OUTPUT DROP
>> iptables -t mangle --policy OUTPUT DROP
> They seem to say "no output except that which is explictly allowed".
> For a big network I too would restrict outgoing connections, but for
> a home machine with only trusted hosts? It's an additional complication
> which doesn't gain you much.
> (Sure if you had a trojan which phoned home, or tried to compromise
> other hosts .. it would help.  But .. in general it less useful than
> it appears).

...you mean, like every one of the increasingly popular remote control
trojans that infest Windows machines?

Alternately, the variety of IRC remote-controlled things that get
installed after some automated exploit of a hole in your Linux/Unix

Believe me, you *do* benefit from having this sort of protection for
small home network -- in some cases, *more* than you do for large
organisations, since they often have rules to stop people doing (too
much) stupid stuff...


Nothing is more beautiful than the loveliness of the woods before sunrise.
        -- George Washington Carver

Reply to: