Re: Outbound ports

From: Juergen Nieveler (juergen.nieveler.nospam_at_arcor.de)
Date: 10/22/03

• Next message: Hillbilly Jim: "Re: Kerio's rule set keeps disappearing!"
• Previous message: Lothar Roth: "Re: setting up a minimal PC as RH9 firewall"
• In reply to:(deleted message) Leythos: "Re: Outbound ports"
• Next in thread: David: "Re: Outbound ports"
• Reply:(deleted message) David: "Re: Outbound ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 22 Oct 2003 12:22:01 GMT

Leythos <void@nowhere.com> wrote:

> I would not want to allow more than port 80 and 443 outbound on a
> public web server sitting in my DMZ.

How are people going to use it, then? Destination Port 80 outbound
means that you allow people ON your webserver to surf to other
webservers ;-)

> If the machine were compromised
> blocking outbound on all but those ports could prevent traffic from
> infecting other machines on the internet.
>
> If you block outbound ports, except the ones you actually need, you
> limit what things your computers can do should they become
> compromised.

Caveat: This only applies for real firewalls, not "Desktop Firewalls".

> For instance, if you don't allow 135~139, 445, and 8 outbound you
> don't have to worry about people making standard windows share
> connections to machines on the internet and you don't have to worry
> about your machines pinging them either.

Uh... you're confusing inbound and outbound again. And pinging doesn't
require ANY ports, it only requires the ICMP protocol - that's an
important difference.

Not to mention that it would be rather stupid to prevent your own
machine from pinging others - how do you troubleshoot connections
without ping?

-- 
Juergen Nieveler / juergen.nieveler@web.de / PGP supported!
Aural sex produces eargasms

---

• Next message: Hillbilly Jim: "Re: Kerio's rule set keeps disappearing!"
• Previous message: Lothar Roth: "Re: setting up a minimal PC as RH9 firewall"
• In reply to:(deleted message) Leythos: "Re: Outbound ports"
• Next in thread: David: "Re: Outbound ports"
• Reply:(deleted message) David: "Re: Outbound ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Outbound ports ... >> public web server sitting in my DMZ. ... Destination Port 80 outbound ... >> blocking outbound on all but those ports could prevent traffic from ... >> infecting other machines on the internet. ... (comp.security.firewalls) Re: How do I stop the mydoom virus? ... > Don't know if you manage your own firewall, but we track down machines ... > are infected by blocking outbound ports they exploit, ... > access attempts to those ports, ... I'm getting a lot of these types of emails lately and I was ... (microsoft.public.exchange.admin) Re: How do I stop the mydoom virus? ... Don't know if you manage your own firewall, but we track down machines that ... are infected by blocking outbound ports they exploit, ... access attempts to those ports, ... I'm getting a lot of these types of emails lately and I was ... (microsoft.public.exchange.admin) Re: I am sick of windows firewall ... I use the AnalogX IPsec rules to supplement BlackIce ... need IPsec to stop outbound that BlackIce cannot do by ... attempts on the Windows networking ports even though BI ... supplemental packet filtering solution. ... (comp.security.firewalls) Re: Mainpine IQ Express: PCI-Express multi-port fax board for the free Microsoft Fax Server ... The IQ Express does support it. ... except that testing from one set of ports back to another ... I like the results with Brother MFC machines. ... the Microsoft Fax Service that is included with Windows XP/2003 SBS/ ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)