Re: Outbound ports

From: The Saint (gur_fnvag_at_gurfnvag.v-c.pbz)
Date: 10/23/03

• Next message: €®ik: "Re: using boot-from-LAN to boot a Linux firewall"
• Previous message: €®ik: "Re: setting up a minimal PC as RH9 firewall"
• In reply to:(deleted message) Leythos: "Re: Outbound ports"
• Next in thread: Juergen Nieveler: "Re: Outbound ports"
• Reply:(deleted message) Juergen Nieveler: "Re: Outbound ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 23 Oct 2003 02:21:10 -0500

Leythos wrote:

>In article <Xns941C8DBE58A2Ajuergennieveler@nieveler.org>,
>juergen.nieveler.nospam@arcor.de says...
>> Leythos <void@nowhere.com> wrote:
>>
>> > I would not want to allow more than port 80 and 443 outbound on a
>> > public web server sitting in my DMZ.
>>
>> How are people going to use it, then? Destination Port 80 outbound
>> means that you allow people ON your webserver to surf to other
>> webservers ;-)
>
>You really gotta be kidding - I hope. I would never allow more than port
>80/443 outbound from the WAN to the DMZ (maybe FTP, depending on the
>resource need) (or inbound for the DMZ). Yea, I made a little mistake by
>saying ourbound and not qualifying the direction - sorry.

You know that making up your own terminology to cover up your
inaccuracies is pretty low. You made a mistake. Big deal. We all
make mistakes, but how you respond to them speaks volumes. Juergen
was completely correct. What part of what he said seems like a joke
to you?

>> > If the machine were compromised
>> > blocking outbound on all but those ports could prevent traffic from
>> > infecting other machines on the internet.
>> >
>> > If you block outbound ports, except the ones you actually need, you
>> > limit what things your computers can do should they become
>> > compromised.

Yikes! Make up your mind!
What you're saying there is somewhat correct, but weren't you just
arguing that you meant "outbound from the WAN to the DMZ"?

>> > For instance, if you don't allow 135~139, 445, and 8 outbound you
>> > don't have to worry about people making standard windows share
>> > connections to machines on the internet and you don't have to worry
>> > about your machines pinging them either.
>>
>> Uh... you're confusing inbound and outbound again. And pinging doesn't
>> require ANY ports, it only requires the ICMP protocol - that's an
>> important difference.
>
>If you don't allow LAN OUTBOUND of 135~139, & 445 then you don't have to
>worry about your internal machines trying to connect to external
>machines (outbound). So, if your internal machines get infected they
>can't get out on normal RCP ports to hit other machines. Sure, they can
>get out on the DNS, HTTP, HTTPS, FTP ports, but they don't really need
>to make mapped share connections to some unknown users computer in China
>do they?

Ummm...if you don't allow them *in*, you greatly reduce your chances
of compromise. Barring the usual "stupid user" clause, of course.
With that being said, you're right about blocking from the inside out.
That is one of my pet peeves with firewalls such as the PIX. I like
everything blocked by default, and then I can allow what's needed.

>OK, I'll admit it, I made a mistake in PING and trying to state port 8,
>it would have been correct to block ICMP and UDP through the firewall
>from DMZ to LAN, from WAN to ALL, and from DMZ to WAN - you might want
>to allow LAN to WAN, but I still block it. I do allow ping from one set
>of internal machines to exit the firewall WAN port from the LAN side.

The whole purpose of a DMZ is to isolate it from your LAN. Otherwise,
why not make it a part of your LAN? Also, if you're blocking UDP, how
are your computers resolving names? I take it you're not using DHCP
either.

>When it comes to protecting my home I'm as anal about security as anyone
>can be, and I'm the same way when I design a network for customers. In
>20+ years of working with computers (unix, mainframe, PC, etc...) not
>one computer I own or control has been compromised.

That statement holds about as much weight as wet tissue. Heard it a
million times. Claiming to be hack-proof is absurdity at it's finest.

---

• Next message: €®ik: "Re: using boot-from-LAN to boot a Linux firewall"
• Previous message: €®ik: "Re: setting up a minimal PC as RH9 firewall"
• In reply to:(deleted message) Leythos: "Re: Outbound ports"
• Next in thread: Juergen Nieveler: "Re: Outbound ports"
• Reply:(deleted message) Juergen Nieveler: "Re: Outbound ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Share Internet Connection with 2 SBS Same Router ... Sonic WAN ... but relies on the ISP being able to assign a 2nd public IP to the DMZ. ... Assign a subnet mask in the DMZ Subnet Mask field. ... WAN port on the router or a LAN port on the router? ... (microsoft.public.windows.server.sbs) Re: Share Internet Connection with 2 SBS Same Router ... Sonic WAN ... but relies on the ISP being able to assign a 2nd public IP to the DMZ. ... Assign a subnet mask in the DMZ Subnet Mask field. ... WAN port on the router or a LAN port on the router? ... (microsoft.public.windows.server.sbs) Re: using wrong smtp server ... It sounds like from the DMZ, ... > port 25 outbound is not allowed, ... > the DMZ server as the only bridgehead and have outbound mail flow through ... (microsoft.public.exchange.admin) Re: Unable to join AD domain from DMZ network ... It was the RDC Dynamic high port blocking the traffic. ... "Paul Bergson" wrote: ... the server from the DMZ registered ... authentication from DMZ to 2003 AD internal network. ... (microsoft.public.windows.server.active_directory) Re: Unable to join AD domain from DMZ network ... the server from the DMZ registered the ... unless you lock it down to a specific port. ... authentication from DMZ to 2003 AD internal network. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)