I have a small home network comprised of Windows and Linux PCs. I am not serving anything to the internet. That is, all incoming traffic is blocked blocked.
On the other hand, up until now, I allow ougtoing on a case (port/ service) by case basis. That is, up until now I add yet another port range to the list of allowed ports/services whenever I discover another application that needs it.
As time goes by, I discover now that I accumulated a long list of "allow" that amounts to *almost* openning all ports... which brings the obvious question: why make it so complicated and tedious, when I can simply allow all outbound traffic and be done with all the hassle?
Nowdays when client PCs use so many services that practically require opening all outgoing ports, it seems that the classic rule of thumb of "First disallow everything by default, then only allow those needed" is simply outdated.
Yes. Since you're in control of your internal network the reasonable measure against unwanted outbound traffic is not to block that traffic, but to eliminate its source.
Outbound traffic is normally disallowed by default, and you have to setup an explicit rule that you want it. Then again you typically also want to filter some traffic.
something like:
ipfw add 3 deny log ip from any to me out ipfw add 3 deny log ip from me to any in ipfw add 4 skipto 5 ip from 255.255.255.255 to any out via eth0 ipfw add 4 skipto 5 ip from any to 255.255.255.255 in via eth0 ipfw add 4 skipto 5 ip from 192.168.0.255 to any out via eth0 ipfw add 4 skipto 5 ip from any to 192.168.0.255 in via eth0 ipfw add 4 deny log ip from not me to any out via eth0 ipfw add 4 deny log ip from any to not me in via eth0 for $I in $IANA_PRIVATE; do; ipfw add 5 deny log ip from $I to any out via ppp0 ipfw add 5 deny log ip from any to $I in via ppp0 end; for $I in $IANA_RESERVED; do; ipfw add 6 deny log ip from $I to any ipfw add 6 deny log ip from any to $I end; for $I in [TCP,UDP], $J in $I_BAD; do; ipfw add 8 deny log $I from any to me $J in ipfw add 8 deny log $I from me $J to any out end; ipfw add 9 deny log tcp from me to any smtp out ipfw add 9 deny log tcp from any smtp to me in
*ipfw add 12 check-state**ipfw add 12 allow tcp from me to any out setup keep-state**ipfw add 12 allow tcp from any to any established keep-state**ipfw add 12 allow tcp from any to any frag keep-state**ipfw add 13 deny tcp from any to me in setup*
With _extremely_ few exceptions, that is the correct procedure.
Why? Have you got that much free time as to want to examine every network connection?
A better solution is to learn what "stuff" is running on your home network systems, and determine whether or not you _need_ that running. If it turns out that you need it (or it is desirable/acceptable) find out what connections it uses.
-rw-rw-r-- 1 gferg ldp 71626 Apr 4 2004 Unix-and-Internet-Fundamentals-HOWT O
When an application wants to talk to some server "out there", the operating system looks up the port number for that service (if the application didn't specify one) such as 22 for FTP, 25 for SMTP, 80 for normal web services, 123 for NTP, 139 for NNTP (news) and so on. The O/S then chooses a "local" port _AT_RANDOM_ (often the next unused port above 1024 and below some maximum like 32766 or 65535) and makes a connection _from_ that port to the remote.
-rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO
If you are masquerading (NAT), then the masquerading box may translate the "local" port to a different range (often above 33000 or 60000) before sending it on to the remote. Thus, with EXTREMELY few exceptions like DHCP, the "local" port could be almost anything in the range 1024 to 65535. That's 64512 ports than may need to be allowed as sources on your end.
Maybe you should find out what those applications are. For the average click-and-drool user who is running as windoze administrator (because it is to difficult to set up windoze otherwise) who is blindly clicking "OK" on every pop-up message that appears in front of them (or who has clicked the "Don't Show Me This Warning Message Again") it might be better to clean up your client systems after shooting the user first.
having specific rules also means having useful logs, seeing how often and how much traffic is generated by application, port, ip address etc. having one rule allow all with a million hits against it isnt too useful.
having specific rules also means having useful logs, seeing how often and how much traffic is generated by application, port, ip address etc. having one rule allow all with a million hits against it isnt too useful.
Of course! Expect everyone to be perfect, knowledgeable and in control at all times, and consider OS security bugs/flaws nonexistent. That simplifies everything, and eliminates the need for extraneous measures for safety. We're safe by default. Thank you!
Irony aside, albeit filtering is not a panacea it is a useful supplement to other measures, like avoiding admin privileges on user accounts, safe conduct on the internet, installing security updates, etc., etc.
Filtering outbound traffic is not the ultimate solution, but an advisable measure.
No, it's technical and you seem to have missed the point
Software is not a substitute for parenting. If you haven't taught your kids "right" from "wrong" then you are the one at fault, not the kids, and no pathetic effort you may now make is going to fix that.
You don't seem to have the first idea of how TCP/IP works, despite it being in use for twenty-four years - and in common use by the clueless for nearly half that.
1118 Hitchhikers guide to the Internet. E. Krol. September 1989. (Format: TXT=62757 bytes) (Status: INFORMATIONAL)
1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991. (Format: TXT=65494 bytes) (Status: INFORMATIONAL)
As you are posting from a search engine, why not use it for it's intended purpose and _search_ for RFC1118 and RFC1180 - who knows, you might learn something.
Seems like you're ignoring the enormous amount of insecurity introduced by the pseudo security software itself.
That's exactly the point. The biggest fiend of security is complexity, that's why adding more complex code is very unlikely to be any good solution. Especially when it's totally unreliable and trivially circumvented.
Expect that it's largely impractical and only creates more problems without any real benefit.
Did you understand the poster's comments were in the form of an analogy?? He wasn't literally talking about children, rather that you shouldn't let your system be the source of spam and other malware.
I also don't see where you get off with that comment either. His post wasn't technical enough to make any judgment either way about his knowledge of TCP/IP.
Anyway, I'm not convinced that outbound filtering has much utility for a home user. When you consider that most of the malware aimed at the home "market" is designed to turn you into a spam-bot, and since you will almost certainly want to use outbound e-mail, I don't see how you filter that at the IP level. What you *could* do, I suppose, is restrict yourself to web-mail and just allow outbound http and secure http.
Of course, it's a different proposition in a business environment. There you probably want to proxy all your connections and use some application filtering.
Yep, in many cases you don't need to allow all outbound, in fact, you don't need to allow ALL outbound for anything I can think of for a home user.
You can setup a rule to allow SMTP outbound ONLY to your ISP's mail server or the mail server you normally use - this means that if your home computer gets compromised with a SMTP virus that it can only send email through your ISP's email server, and they will catch it normally - if you just let your system spew SMTP traffic you are polluting the internet that the rest of us use.
There are many things, like blocking TCP/UDP 135-139, 445, 1433/1434 and many others - so that your computer has a harder time spreading crap....
An excellent idea, as if web-mail shit would be secure or just reasonable in any way. Oh, and what about FTP? NTP? NNTP? DNS? Not gonna even start talking about P2P stuff... oh, and what about SUBMISSION?
And do you know why they do this? Protocol conformance enforcement, and nothing else.
That would be a most generous interpretation - which I don't believe fits the rest of the post.
And an "outbound block" is going to fix this exactly how? Or do you believe that a "mother, may I" type of filter won't be treated exactly like the constant calls of "wolf"?
The concept of the firewall being able to differentiate between normal and malicious traffic involves some knowledge of IP addresses, and also some idea of how source ports are used. Source ports are not assigned to applications. The normal mode is that the next UNUSED port above 1024 AND above the last port previously used as a source will be assigned for "this" connection attempt. Try using any packet sniffer, and note the source ports used as you attempt to connect to some web server. Notice how the numbers increase each time. There is actually a technical reason for this - you might look at those RFCs to find out why.,
Agreed
Free clue. Spambots _send_ mail and bypass virtually all of the toy firewalls installed on residential systems. They do this by grabbing the next ephemeral port as noted above, and they connect to the remote mail server's port 25. Some ISPs have discovered that this problem can be controlled by blocking SMTP traffic out of their IP space that doesn't come from their own mail servers. There actually are blocklists that identify dynamic (read that as residential) addresses). These are used by quite a number of mail server to reduce the amount of zombie spam. Other mail server will not accept mail from host with a generic hostname such as the "70-41-132-29.cust.wildblue.net" you are posting from, or mail from IP addresses that don't have PTR records (IP to hostname). The way mail normally is sent from residential customers is to forward it to the ISP's server. This is _USUALLY_ the same host that your mail tool receives mail from (though it doesn't have to be).
That assumes that your correspondents are accepting web-mail. Most of what I see from that service is just spam - hence it's black-holed here.
While proxying may be an option, most businesses are not operated out of a single PC, and application filtering ONLY works on the originating computer. In case you aren't aware, neither UDP, TCP or the IP network protocols care about the name of the application involved, and if you look at RFC0768 (User Datagram Protocol), RFC0791 (Internet Protocol), RFC0792 (Internet Control Message Protocol), and RFC0793 (Transmission Control Protocol), and such amendments as RFC1349 (Type of Service in the Internet Protocol Suite) and RFC3168 (The Addition of Explicit Congestion Notification (ECN) to IP) this would be obvious. Trying to use application level filtering on a windoze box where the luser already has "administrator" rights (because the id10t who set up the box doesn't know how to do it correctly) is an obvious waste of time AND is false security.
Thank you all for your replies. My conclusion from all of this is that it all boils down to effort vs. benefit.
What I forgot to mention is that the main reason I was asking this is because my NETGEAR FVS328 router/firewall is so crappy (buggy) that I need to re-think my old strategy:
Once upon a time I used to have my firewall running in a Linux box (old PC consuming at least 150W). I then decided that I need to conserve energy and purchased a NETGEAR FVS328 that consumes only 12W.
What an inferior product - in order for me to stay connected to the Internet I need to reboot it every 2 weeks or so... Certainly the last time I would ever buy a NETGEAR product. I am saying this not before I have exhausted all their useless tech support.
So back to the original question: I discovered that when I disable certain features in my NETGEAR router/firewall, the frequency of required reboots tends to be lower. One of this features was logging which has become completely unusable in this product. Also, eliminating the numerous outbound rules could ease the pain on this poort NETGEAR prodcut. Lastly, maintaining rules in the NETGEAR FVS328 is so slow and painful - it seems that the theoretical risk in allowing all outbound traffic is worthwhile - until I find a piece of hardware that consumes 12W-15W and is able to run iptables, VPN, DNS proxy, NTP server and some additional useful tools (emacs?).
Thank you all for your replies - you certainly helped me to make a decision to allow all outbound traffic by default.
Strange, I have a 328 setup with a site-site VPN connection that has been working, stable, without fault, for several years. Maybe you have power issues, firmware issues, or just a bad internet connection.
The 328 also permits custom rules and can do what you ask.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.