Gentoo Archives: gentoo-user

From: Alan McKinnon <alan.mckinnon@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Do you block outbound ports?
Date: Sat, 20 Aug 2011 19:04:37
Message-Id: 21545806.n9l1RQMaLZ@nazgul
In Reply to: [gentoo-user] Do you block outbound ports? by Grant
1 On Sat 20 August 2011 10:38:43 Grant did opine thusly:
2 > I like the policy of blocking all ports in and out with a firewall
3 > and only opening the ones you need. Bittorrent makes that
4 > difficult since it connects out to unpredictable ports. Do you
5 > block outbound ports with a firewall or only inbound?
6
7 For the most part only inbound. Blocking outbound is pretty much
8 pointless as a security measure.
9
10 You cannot control what people will want to connect to outbound. Every
11 time you think you have a complete list, someone will come along and
12 provide you with heaps of reasons as to why their request is legit
13 (and it usually is!)
14
15 What you can control completely is the services you offer and on what
16 ports, therefore inbound firewalls make sense.
17
18 That's not to say we don't use outbound firewalls at all, we do - as a
19 policy measure. Outbound port 25 is blocked so that people will use my
20 relays instead. I trust them to play nice, they trust me to keep the
21 service up. For us, this works well. But as a security measure the
22 entire model falls apart as soon as someone with a clue comes along. I
23 have this game I play with our firewall/security people where I get to
24 look smug. Tool of choice? ssh
25
26 The security benefits from outbound connections to my mind are:
27 warm-and-fuzzy security
28 cover-your-ass security
29 just-do-whatever-the-damn-auditor-says-so-he-can-stfu security
30 i-don't-know-what-i'm-doing security
31
32 but almost never real security. That's better done with permanent ACLs
33 on the routers.
34
35 --
36 alan dot mckinnon at gmail dot com

Replies

Subject Author
Re: [gentoo-user] Do you block outbound ports? Pandu Poluan <pandu@××××××.info>