Date: 10 Jan 2002 06:47:22 -0500 From: Dan Pelleg <peldan@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: allowing outbound connections Message-ID: <u2szo3mzaut.fsf@gs166.sp.cs.cmu.edu> In-Reply-To: <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl> References: <023701c198ae$0286ba80$0200a8c0@testuser> <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> writes: > On Wed, 9 Jan 2002 02:36:01 +0100 Marcel Dijk wrote: > > > Hello, > > > > Is it (very) dangerous to allow all outgoing connections? I have IPFW > running wich ristricts what is going into the server/LAN from the > internet. But it does not restrict what is going to the internet from > within my LAN. > > > What you can also do with outbound filtering is to protect the rest of the > world from being attacked from your network (or, at least, make such > attack more difficult) in case some machine inside is compromised or some > user inside has hostile intentions. In this case you should consider the > following: > [snip] I'd like to add another suggestion: * rate-limit the number of outgoing connections. For example, don't let a single internal host have too many open connections to port 80 on external hosts. Such a rule would limit the effectiveness of Nimda-like worms. The new ipfw "limit" rules make this possible. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?u2szo3mzaut.fsf>