Re: How to tell if a Linux machine is a zombie?

[Paul Johnson <baloo@ursine.ca>]

Douglas Tutty wrote:

> On Mon, Jan 08, 2007 at 10:35:10PM -0800, Paul Johnson wrote:
>> James Stevenson wrote:
>> 
>> >> If I understand the matter correctly, a firewall can protect only
>> >> against incoming messages, and is useless against spyware which
>> >> "phones home" or zombie-ware which spews email spam.
>> > 
>> > Not totally correct. A firewall is only as good as the traffic that is
>> > permitted to flow across it. If you want to block something from
>> > phoning home then yes you can block outbound traffic as well.
>> 
>> Blocking outbound traffic on specific ports is the advisable method.
>> Wholesale blocking outbound traffic might make it interesting to get
>> internet connectivity.
> 
> I use shorewall with default block everything all directions then open
> things up as needed.

I bet you have a rule someplace that allows outgoing traffic that's part of
an existing connection.

> The important thing is to read the great shorewall-doc.

Indeed.