What"s the point of not allowing all outgoing traffic by default?

I have a small home network comprised of Windows and Linux PCs. I am
not serving anything to the internet. That is, all incoming traffic is
blocked blocked.

On the other hand, up until now, I allow ougtoing on a case (port/
service) by case basis. That is, up until now I add yet another port
range to the list of allowed ports/services whenever I discover
another application that needs it.

As time goes by, I discover now that I accumulated a long list of
"allow" that amounts to *almost* openning all ports... which brings
the obvious question: why make it so complicated and tedious, when I
can simply allow all outbound traffic and be done with all the hassle?

Nowdays when client PCs use so many services that practically require
opening all outgoing ports, it seems that the classic rule of thumb of
"First disallow everything by default, then only allow those needed"
is simply outdated.

Am I missing something?

Thanks,
Lynn

Re: What"s the point of not allowing all outgoing traffic by default?

linuxlover992000@yahoo.com wrote:
> I have a small home network comprised of Windows and Linux PCs. I am
> not serving anything to the internet. That is, all incoming traffic is
> blocked blocked.
>
> On the other hand, up until now, I allow ougtoing on a case (port/
> service) by case basis. That is, up until now I add yet another port
> range to the list of allowed ports/services whenever I discover
> another application that needs it.
>
> As time goes by, I discover now that I accumulated a long list of
> "allow" that amounts to *almost* openning all ports... which brings
> the obvious question: why make it so complicated and tedious, when I
> can simply allow all outbound traffic and be done with all the hassle?
>
> Nowdays when client PCs use so many services that practically require
> opening all outgoing ports, it seems that the classic rule of thumb of
> "First disallow everything by default, then only allow those needed"
> is simply outdated.
>
> Am I missing something?

Yes. Since you're in control of your internal network the reasonable
measure against unwanted outbound traffic is not to block that traffic,
but to eliminate its source.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: What"s the point of not allowing all outgoing traffic by default?

On May 24, 12:13 am, linuxlover992...@yahoo.com wrote:
> I have a small home network comprised of Windows and Linux PCs. I am
> not serving anything to the internet. That is, all incoming traffic is
> blocked blocked.
>
> On the other hand, up until now, I allow ougtoing on a case (port/
> service) by case basis. That is, up until now I add yet another port
> range to the list of allowed ports/services whenever I discover
> another application that needs it.
>
> As time goes by, I discover now that I accumulated a long list of
> "allow" that amounts to *almost* openning all ports... which brings
> the obvious question: why make it so complicated and tedious, when I
> can simply allow all outbound traffic and be done with all the hassle?
>
> Nowdays when client PCs use so many services that practically require
> opening all outgoing ports, it seems that the classic rule of thumb of
> "First disallow everything by default, then only allow those needed"
> is simply outdated.
>
> Am I missing something?
>
> Thanks,
> Lynn

Not outdated - just not really the right fit for your home network.
Blocking all inbound and allowing all outbound is just fine for your
home network.

Re: What"s the point of not allowing all outgoing traffic by default?

linuxlover992000@yahoo.com wrote:


> Am I missing something?

Outbound traffic is normally disallowed by default, and you have to setup an
explicit rule that you want it. Then again you typically also want to filter
some traffic.

something like:

ipfw add 3 deny log ip from any to me out
ipfw add 3 deny log ip from me to any in
ipfw add 4 skipto 5 ip from 255.255.255.255 to any out via eth0
ipfw add 4 skipto 5 ip from any to 255.255.255.255 in via eth0
ipfw add 4 skipto 5 ip from 192.168.0.255 to any out via eth0
ipfw add 4 skipto 5 ip from any to 192.168.0.255 in via eth0
ipfw add 4 deny log ip from not me to any out via eth0
ipfw add 4 deny log ip from any to not me in via eth0
for $I in $IANA_PRIVATE; do;
ipfw add 5 deny log ip from $I to any out via ppp0
ipfw add 5 deny log ip from any to $I in via ppp0
end;
for $I in $IANA_RESERVED; do;
ipfw add 6 deny log ip from $I to any
ipfw add 6 deny log ip from any to $I
end;
for $I in [TCP,UDP], $J in $I_BAD; do;
ipfw add 8 deny log $I from any to me $J in
ipfw add 8 deny log $I from me $J to any out
end;
ipfw add 9 deny log tcp from me to any smtp out
ipfw add 9 deny log tcp from any smtp to me in
*ipfw add 12 check-state*
*ipfw add 12 allow tcp from me to any out setup keep-state*
*ipfw add 12 allow tcp from any to any established keep-state*
*ipfw add 12 allow tcp from any to any frag keep-state*
*ipfw add 13 deny tcp from any to me in setup*

Re: What"s the point of not allowing all outgoing traffic by default?

On 23 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1179983602.087902.307520@h2g2000hsg.googlegroups.com>,
linuxlover992000@yahoo.com wrote:

>I have a small home network comprised of Windows and Linux PCs. I am
>not serving anything to the internet. That is, all incoming traffic is
>blocked blocked.

With _extremely_ few exceptions, that is the correct procedure.

>On the other hand, up until now, I allow ougtoing on a case (port/
>service) by case basis.

Why? Have you got that much free time as to want to examine every
network connection?

>That is, up until now I add yet another port range to the list of
>allowed ports/services whenever I discover another application that
>needs it.

A better solution is to learn what "stuff" is running on your home
network systems, and determine whether or not you _need_ that running.
If it turns out that you need it (or it is desirable/acceptable) find
out what connections it uses.

>As time goes by, I discover now that I accumulated a long list of
>"allow" that amounts to *almost* openning all ports... which brings
>the obvious question: why make it so complicated and tedious, when I
>can simply allow all outbound traffic and be done with all the hassle?

-rw-rw-r-- 1 gferg ldp 45604 Apr 18 2006 Networking-Overview-HOWTO
-rw-rw-r-- 1 gferg ldp 71626 Apr 4 2004 Unix-and-Internet-Fundamentals-HOWT
O

When an application wants to talk to some server "out there", the
operating system looks up the port number for that service (if the
application didn't specify one) such as 22 for FTP, 25 for SMTP, 80
for normal web services, 123 for NTP, 139 for NNTP (news) and so on.
The O/S then chooses a "local" port _AT_RANDOM_ (often the next unused
port above 1024 and below some maximum like 32766 or 65535) and makes
a connection _from_ that port to the remote.

-rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO
-rw-rw-r-- 1 gferg ldp 17605 Jul 21 2004 Masquerading-Simple-HOWTO
-rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO

If you are masquerading (NAT), then the masquerading box may translate
the "local" port to a different range (often above 33000 or 60000)
before sending it on to the remote. Thus, with EXTREMELY few exceptions
like DHCP, the "local" port could be almost anything in the range 1024
to 65535. That's 64512 ports than may need to be allowed as sources on
your end.

>Nowdays when client PCs use so many services that practically require
>opening all outgoing ports, it seems that the classic rule of thumb of
>"First disallow everything by default, then only allow those needed"
>is simply outdated.

Maybe you should find out what those applications are. For the average
click-and-drool user who is running as windoze administrator (because it
is to difficult to set up windoze otherwise) who is blindly clicking
"OK" on every pop-up message that appears in front of them (or who has
clicked the "Don't Show Me This Warning Message Again") it might be
better to clean up your client systems after shooting the user first.

>Am I missing something?

http://www.netfilter.org/documentation/HOWTO/

[TXT] NAT-HOWTO.txt 24-Dec-2006 16:06 25K
[TXT] netfilter-double-nat-HOWTO.txt 24-Dec-2006 16:06 9.4K
[TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K
[TXT] netfilter-hacking-HOWTO.txt 24-Dec-2006 16:06 84K
[TXT] netfilter-mirror-HOWTO.txt 24-Dec-2006 16:06 8.1K
[TXT] networking-concepts-HOWTO.txt 24-Dec-2006 16:06 28K
[TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K

There are also a _lot_ of HOWTOs that should be on your Linux system.
The latest index files

-rw-rw-r-- 1 gferg ldp 273771 May 23 13:09 HOWTO-INDEX
-rw-rw-r-- 1 gferg ldp 97729 May 23 13:09 INDEX

are available from Sunsite (ftp://ibiblio.org/pub/Linux/docs/HOWTO/)
along with current copies of the 460plus HOWTOs and mini-howtos.

Old guy

Re: What"s the point of not allowing all outgoing traffic by default?

having specific rules also means having useful logs, seeing how often
and how much traffic is generated by application, port, ip address
etc. having one rule allow all with a million hits against it isnt too
useful.

Flamer.

Re: What"s the point of not allowing all outgoing traffic by default?

having specific rules also means having useful logs, seeing how often
and how much traffic is generated by application, port, ip address
etc. having one rule allow all with a million hits against it isnt too
useful.

Flamer.

Re: What"s the point of not allowing all outgoing traffic by default?

Unless you're extremely bored and want to watch every single thing
coming out of your HOME network...

Allowing anything outbound and blocking your OWN subnet INBOUND is ALL
you need.

IF you're going to sit there and control every little thing coming out
of your HOME network you might as well just proxy your connections and
not even mess with firewalling the outbound traffic.

On May 24, 6:44 pm, "flamer die.s...@hotmail.com"
wrote:
> having specific rules also means having useful logs, seeing how often
> and how much traffic is generated by application, port, ip address
> etc. having one rule allow all with a million hits against it isnt too
> useful.
>
> Flamer.

Re: What"s the point of not allowing all outgoing traffic by default?

On May 24, 12:13 am, linuxlover992...@yahoo.com wrote:
> I have a small home network comprised of Windows and Linux PCs. I am
> not serving anything to the internet. That is, all incoming traffic is
> blocked blocked.
>
> On the other hand, up until now, I allow ougtoing on a case (port/
> service) by case basis. That is, up until now I add yet another port
> range to the list of allowed ports/services whenever I discover
> another application that needs it.
>
> As time goes by, I discover now that I accumulated a long list of
> "allow" that amounts to *almost* openning all ports... which brings
> the obvious question: why make it so complicated and tedious, when I
> can simply allow all outbound traffic and be done with all the hassle?
>
> Nowdays when client PCs use so many services that practically require
> opening all outgoing ports, it seems that the classic rule of thumb of
> "First disallow everything by default, then only allow those needed"
> is simply outdated.
>
> Am I missing something?
>
> Thanks,
> Lynn

Lynn:

Yours is a philosophical question. You want to secure your home and
being a good neighbor. That implies:

(1) Blocking the thieves, bad guys, neighbor's children, etc. from
entering your house.

The above is obvious, and many people don't realize that they should
also:

(2) Prevent your own kids from going to your neighbor's home and
breaking things.

We should all be good Internet netizens.

-Ramon

Re: What"s the point of not allowing all outgoing traffic by default?

Ramon F Herrera wrote:


> (2) Prevent your own kids from going to your neighbor's home and
> breaking things.
>
> We should all be good Internet netizens.


Except that there's neither a reasonable nor a reliable way to do so without
cutting the wire / pulling the plug.

What about simply not running malware in first place?

Re: What"s the point of not allowing all outgoing traffic by default?

Sebastian G. skrev:
> Ramon F Herrera wrote:
>
>
>> (2) Prevent your own kids from going to your neighbor's home and
>> breaking things.
>>
>> We should all be good Internet netizens.
>
>
> Except that there's neither a reasonable nor a reliable way to do so
> without cutting the wire / pulling the plug.
>
> What about simply not running malware in first place?

Of course! Expect everyone to be perfect, knowledgeable and in control
at all times, and consider OS security bugs/flaws nonexistent. That
simplifies everything, and eliminates the need for extraneous measures
for safety. We're safe by default. Thank you!

Irony aside, albeit filtering is not a panacea it is a useful supplement
to other measures, like avoiding admin privileges on user accounts, safe
conduct on the internet, installing security updates, etc., etc.

Filtering outbound traffic is not the ultimate solution, but an
advisable measure.

Re: What"s the point of not allowing all outgoing traffic by default?

On 27 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1180334253.293250.146270@k79g2000hse.googlegroups.com>, Ramon F Herrera wrote:

>linuxlover992...@yahoo.com wrote:

>> As time goes by, I discover now that I accumulated a long list of
>> "allow" that amounts to *almost* openning all ports... which brings
>> the obvious question: why make it so complicated and tedious, when I
>> can simply allow all outbound traffic and be done with all the hassle?

>Yours is a philosophical question.

No, it's technical and you seem to have missed the point

>You want to secure your home and being a good neighbor. That implies:
>
> (1) Blocking the thieves, bad guys, neighbor's children, etc. from
>entering your house.
>
>The above is obvious, and many people don't realize that they should
>also:
>
> (2) Prevent your own kids from going to your neighbor's home and
>breaking things.

1. Software is not a substitute for parenting. If you haven't taught
your kids "right" from "wrong" then you are the one at fault, not the
kids, and no pathetic effort you may now make is going to fix that.

2. You don't seem to have the first idea of how TCP/IP works, despite
it being in use for twenty-four years - and in common use by the
clueless for nearly half that.

1118 Hitchhikers guide to the Internet. E. Krol. September 1989.
(Format: TXT=62757 bytes) (Status: INFORMATIONAL)

1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991.
(Format: TXT=65494 bytes) (Status: INFORMATIONAL)

As you are posting from a search engine, why not use it for it's
intended purpose and _search_ for RFC1118 and RFC1180 - who knows, you
might learn something.

Old guy

Re: What"s the point of not allowing all outgoing traffic by default?

Keme wrote:


> Of course! Expect everyone to be perfect, knowledgeable and in control
> at all times, and consider OS security bugs/flaws nonexistent.


Seems like you're ignoring the enormous amount of insecurity introduced by
the pseudo security software itself.

> That simplifies everything,

That's exactly the point. The biggest fiend of security is complexity,
that's why adding more complex code is very unlikely to be any good
solution. Especially when it's totally unreliable and trivially circumvented.

> Irony aside, albeit filtering is not a panacea it is a useful supplement
> to other measures, like avoiding admin privileges on user accounts, safe
> conduct on the internet, installing security updates, etc., etc.

>

> Filtering outbound traffic is not the ultimate solution, but an
> advisable measure.


Expect that it's largely impractical and only creates more problems without
any real benefit.

Re: What"s the point of not allowing all outgoing traffic by default?

Moe Trin wrote:

>> (2) Prevent your own kids from going to your neighbor's home and
>> breaking things.
>
> 1. Software is not a substitute for parenting. If you haven't taught
> your kids "right" from "wrong" then you are the one at fault, not the
> kids, and no pathetic effort you may now make is going to fix that.

Did you understand the poster's comments were in the form of an
analogy?? He wasn't literally talking about children, rather that you
shouldn't let your system be the source of spam and other malware.


>
> 2. You don't seem to have the first idea of how TCP/IP works, despite
> it being in use for twenty-four years - and in common use by the
> clueless for nearly half that.

I also don't see where you get off with that comment either. His post
wasn't technical enough to make any judgment either way about his
knowledge of TCP/IP.

Anyway, I'm not convinced that outbound filtering has much utility for a
home user. When you consider that most of the malware aimed at the home
"market" is designed to turn you into a spam-bot, and since you will
almost certainly want to use outbound e-mail, I don't see how you filter
that at the IP level. What you *could* do, I suppose, is restrict
yourself to web-mail and just allow outbound http and secure http.

Of course, it's a different proposition in a business environment. There
you probably want to proxy all your connections and use some application
filtering.

Re: What"s the point of not allowing all outgoing traffic by default?

In article <1179983602.087902.307520@h2g2000hsg.googlegroups.com>,
linuxlover992000@yahoo.com says...
> I have a small home network comprised of Windows and Linux PCs. I am
> not serving anything to the internet. That is, all incoming traffic is
> blocked blocked.
>
> On the other hand, up until now, I allow ougtoing on a case (port/
> service) by case basis. That is, up until now I add yet another port
> range to the list of allowed ports/services whenever I discover
> another application that needs it.
>
> As time goes by, I discover now that I accumulated a long list of
> "allow" that amounts to *almost* openning all ports... which brings
> the obvious question: why make it so complicated and tedious, when I
> can simply allow all outbound traffic and be done with all the hassle?
>
> Nowdays when client PCs use so many services that practically require
> opening all outgoing ports, it seems that the classic rule of thumb of
> "First disallow everything by default, then only allow those needed"
> is simply outdated.
>
> Am I missing something?

Yep, in many cases you don't need to allow all outbound, in fact, you
don't need to allow ALL outbound for anything I can think of for a home
user.

You can setup a rule to allow SMTP outbound ONLY to your ISP's mail
server or the mail server you normally use - this means that if your
home computer gets compromised with a SMTP virus that it can only send
email through your ISP's email server, and they will catch it normally -
if you just let your system spew SMTP traffic you are polluting the
internet that the rest of us use.

There are many things, like blocking TCP/UDP 135-139, 445, 1433/1434 and
many others - so that your computer has a harder time spreading crap....

--

spam999free@rrohio.com
remove 999 in order to email me

Re: What"s the point of not allowing all outgoing traffic by default?

Rod Engelsman wrote:


> Anyway, I'm not convinced that outbound filtering has much utility for a
> home user. When you consider that most of the malware aimed at the home
> "market" is designed to turn you into a spam-bot, and since you will
> almost certainly want to use outbound e-mail, I don't see how you filter
> that at the IP level. What you *could* do, I suppose, is restrict
> yourself to web-mail and just allow outbound http and secure http.


An excellent idea, as if web-mail shit would be secure or just reasonable in
any way. Oh, and what about FTP? NTP? NNTP? DNS? Not gonna even start
talking about P2P stuff... oh, and what about SUBMISSION?

> Of course, it's a different proposition in a business environment. There
> you probably want to proxy all your connections and use some application
> filtering.


And do you know why they do this? Protocol conformance enforcement, and
nothing else.

Re: What"s the point of not allowing all outgoing traffic by default?

On Mon, 28 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Rod Engelsman wrote:

>Moe Trin wrote:

>>> (2) Prevent your own kids from going to your neighbor's home and
>>> breaking things.
>>
>> 1. Software is not a substitute for parenting. If you haven't taught
>> your kids "right" from "wrong" then you are the one at fault, not the
>> kids, and no pathetic effort you may now make is going to fix that.
>
>Did you understand the poster's comments were in the form of an
>analogy??

That would be a most generous interpretation - which I don't believe
fits the rest of the post.

>He wasn't literally talking about children, rather that you shouldn't
>let your system be the source of spam and other malware.

And an "outbound block" is going to fix this exactly how? Or do you
believe that a "mother, may I" type of filter won't be treated exactly
like the constant calls of "wolf"?

>> 2. You don't seem to have the first idea of how TCP/IP works, despite
>> it being in use for twenty-four years - and in common use by the
>> clueless for nearly half that.
>
>I also don't see where you get off with that comment either. His post
>wasn't technical enough to make any judgment either way about his
>knowledge of TCP/IP.

The concept of the firewall being able to differentiate between normal
and malicious traffic involves some knowledge of IP addresses, and also
some idea of how source ports are used. Source ports are not assigned
to applications. The normal mode is that the next UNUSED port above 1024
AND above the last port previously used as a source will be assigned for
"this" connection attempt. Try using any packet sniffer, and note the
source ports used as you attempt to connect to some web server. Notice
how the numbers increase each time. There is actually a technical reason
for this - you might look at those RFCs to find out why.,

>Anyway, I'm not convinced that outbound filtering has much utility for a
>home user.

Agreed

>When you consider that most of the malware aimed at the home "market" is
>designed to turn you into a spam-bot, and since you will almost certainly
>want to use outbound e-mail, I don't see how you filter that at the IP
>level.

Free clue. Spambots _send_ mail and bypass virtually all of the toy
firewalls installed on residential systems. They do this by grabbing
the next ephemeral port as noted above, and they connect to the remote
mail server's port 25. Some ISPs have discovered that this problem can
be controlled by blocking SMTP traffic out of their IP space that
doesn't come from their own mail servers. There actually are
blocklists that identify dynamic (read that as residential) addresses).
These are used by quite a number of mail server to reduce the amount
of zombie spam. Other mail server will not accept mail from host with
a generic hostname such as the "70-41-132-29.cust.wildblue.net" you are
posting from, or mail from IP addresses that don't have PTR records (IP
to hostname). The way mail normally is sent from residential customers
is to forward it to the ISP's server. This is _USUALLY_ the same host
that your mail tool receives mail from (though it doesn't have to be).

>What you *could* do, I suppose, is restrict yourself to web-mail and
>just allow outbound http and secure http.

That assumes that your correspondents are accepting web-mail. Most of
what I see from that service is just spam - hence it's black-holed here.

>Of course, it's a different proposition in a business environment. There
>you probably want to proxy all your connections and use some application
>filtering.

While proxying may be an option, most businesses are not operated out of
a single PC, and application filtering ONLY works on the originating
computer. In case you aren't aware, neither UDP, TCP or the IP network
protocols care about the name of the application involved, and if you
look at RFC0768 (User Datagram Protocol), RFC0791 (Internet Protocol),
RFC0792 (Internet Control Message Protocol), and RFC0793 (Transmission
Control Protocol), and such amendments as RFC1349 (Type of Service in
the Internet Protocol Suite) and RFC3168 (The Addition of Explicit
Congestion Notification (ECN) to IP) this would be obvious. Trying to
use application level filtering on a windoze box where the luser already
has "administrator" rights (because the id10t who set up the box doesn't know
how to do it correctly) is an obvious waste of time AND is false security.

Old guy

Re: What"s the point of not allowing all outgoing traffic by default?

Thank you all for your replies. My conclusion from all of this is that
it all boils down to effort vs. benefit.

What I forgot to mention is that the main reason I was asking this is
because my NETGEAR FVS328 router/firewall is so crappy (buggy) that I
need to re-think my old strategy:

Once upon a time I used to have my firewall running in a Linux box
(old PC consuming at least 150W). I then decided that I need to
conserve energy and purchased a NETGEAR FVS328 that consumes only 12W.

What an inferior product - in order for me to stay connected to the
Internet I need to reboot it every 2 weeks or so... Certainly the last
time I would ever buy a NETGEAR product. I am saying this not before I
have exhausted all their useless tech support.

So back to the original question: I discovered that when I disable
certain features in my NETGEAR router/firewall, the frequency of
required reboots tends to be lower. One of this features was logging
which has become completely unusable in this product. Also,
eliminating the numerous outbound rules could ease the pain on this
poort NETGEAR prodcut. Lastly, maintaining rules in the NETGEAR FVS328
is so slow and painful - it seems that the theoretical risk in
allowing all outbound traffic is worthwhile - until I find a piece of
hardware that consumes 12W-15W and is able to run iptables, VPN, DNS
proxy, NTP server and some additional useful tools (emacs?).

Thank you all for your replies - you certainly helped me to make a
decision to allow all outbound traffic by default.

Lynn

On May 26, 11:18 am, AMR wrote:
> Unless you're extremely bored and want to watch every single thing
> coming out of your HOME network...
>
> Allowing anything outbound and blocking your OWN subnet INBOUND is ALL
> you need.
>
> IF you're going to sit there and control every little thing coming out
> of your HOME network you might as well just proxy your connections and
> not even mess with firewalling the outbound traffic.
>

Re: What"s the point of not allowing all outgoing traffic by default?

In article <1180473997.491556.90730@o5g2000hsb.googlegroups.com>,
linuxlover992000@yahoo.com says...
> Thank you all for your replies. My conclusion from all of this is that
> it all boils down to effort vs. benefit.
>
> What I forgot to mention is that the main reason I was asking this is
> because my NETGEAR FVS328 router/firewall is so crappy (buggy) that I
> need to re-think my old strategy:
>
> Once upon a time I used to have my firewall running in a Linux box
> (old PC consuming at least 150W). I then decided that I need to
> conserve energy and purchased a NETGEAR FVS328 that consumes only 12W.
>
> What an inferior product - in order for me to stay connected to the
> Internet I need to reboot it every 2 weeks or so... Certainly the last
> time I would ever buy a NETGEAR product. I am saying this not before I
> have exhausted all their useless tech support.

Strange, I have a 328 setup with a site-site VPN connection that has
been working, stable, without fault, for several years. Maybe you have
power issues, firmware issues, or just a bad internet connection.

The 328 also permits custom rules and can do what you ask.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: What"s the point of not allowing all outgoing traffic by default?

Moe Trin wrote:

> Trying to use application level filtering on a windoze box where the luser already
> has "administrator" rights (because the id10t who set up the box doesn't know
> how to do it correctly) is an obvious waste of time AND is false security.

Even without admin rights, this approach is pretty limited, since there's IPC.

Re: What"s the point of not allowing all outgoing traffic by default?

On May 28, 2:52 am, "Sebastian G." wrote:
> Ramon F Herrera wrote:
> > (2) Prevent your own kids from going to your neighbor's home and
> > breaking things.
>
> > We should all be good Internet netizens.
>
> Except that there's neither a reasonable nor a reliable way to do so without
> cutting the wire / pulling the plug.
>
> What about simply not running malware in first place?

Cisco had an excellent TV commercial. A CEO type -who presumably has
plenty of access from his PC- was suddenly told about a breach which
was detected by the Cisco infrastructure before it could make any
damage. They were wondering where it came from, when the daughter of
the CEO, all of 7 years old, came out of his office: "Dad, I found a
site with many cool games!" or she brought a CD from home or
something.

-Ramon

Re: What"s the point of not allowing all outgoing traffic by default?

On May 28, 7:54 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:

> >Yours is a philosophical question.
>

> No, it's technical and you seem to have missed the point


I you trying to tell us that you cannot possibly grasp the concept of
a question being philosophical while being technical?

I find hard to believe that you cannot accept such simultaneity. Ever
heard of the wave-particle dual nature of light? Do you also have
problem accepting it?

-Ramon

Re: What"s the point of not allowing all outgoing traffic by default?

On May 29, 4:37 pm, Leythos wrote:
>
> Strange, I have a 328 setup with a site-site VPN connection that has
> been working, stable, without fault, for several years. Maybe you have
> power issues, firmware issues, or just a bad internet connection.
>
> The 328 also permits custom rules and can do what you ask.
>

It seems that _your_ experience is the strange one, otherwise no one
would bother creating a blog entitled "NETGEAR SUCKS":

http://paulm.com/inchoate/2004/09/netgear_sucks.html

Also, do a google search on "netgear sucks" and you'll see what I mean
(209,000 results):

http://www.google.com/search?source=ig&hl=en&q=netgear+sucks

Regards,
Lynn

P.S. Trust me: the NETGEAR tech support have already tried the "Maybe
you have power issues, firmware issues, or just a bad internet
connection". Lots of polite template verbiage (documented on their
tech support web site) - totally useless.

Re: What"s the point of not allowing all outgoing traffic by default?

Ramon F Herrera wrote:

> On May 28, 7:54 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
>
>>> Yours is a philosophical question.
>
> > No, it's technical and you seem to have missed the point
>
>
> I you trying to tell us that you cannot possibly grasp the concept of
> a question being philosophical while being technical?
>
> I find hard to believe that you cannot accept such simultaneity. Ever
> heard of the wave-particle dual nature of light? Do you also have
> problem accepting it?


Looking up in the calendar, it's not the 50s anymore, it's 2007. Light is
neither a wave nor a particle, it's a quantum object that, when measures,
shares some properties of a wave and some properties of a particle.

At any rate, your analogy is bullshit. Malware running on your PC is like
children with god-like powers, they're free to ignore anything that is not
imposed hard. Network traffic filtering isn't even nearby a hard imposture,
the malware is free to simply hijack an already trusted application to make
it deliver the network traffic on its behalf - that's the point where you lose.

Re: What"s the point of not allowing all outgoing traffic by default?

In article <5c4obcF2v0i6fU1@mid.dfncis.de>, seppi@seppig.de says...
> At any rate, your analogy is bullshit. Malware running on your PC is like
> children with god-like powers, they're free to ignore anything that is not
> imposed hard. Network traffic filtering isn't even nearby a hard imposture,
> the malware is free to simply hijack an already trusted application to make
> it deliver the network traffic on its behalf - that's the point where you lose.

Strange, if I had malware with its own SMTP engine running on a infected
PC, with a proper firewall in place that malware could not send emails
to the world directly - since the firewall limits outbound SMTP to the
mail server only, since it would alert on a node trying, since the
firewall knows the difference between SMTP and just port 25 traffic.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: What"s the point of not allowing all outgoing traffic by default?

On May 30, 2:42 am, "Sebastian G." wrote:
>
> At any rate, your analogy is bullshit. Malware running
> on your PC is like children with god-like powers,
> they're free to ignore anything that is not imposed hard.
> Network traffic filtering isn't even nearby a hard
> imposture, the malware is free to simply hijack an
> already trusted application to make
> it deliver the network traffic on its behalf


Sebastian:

I setup Cisco firewalls for a living, while you obviously don't.

When we talk about a "firewall" you do understand that -by definition-
they have to be in a separate box with an specialized/customized OS,
don't you? You wouldn't build a car firewall with the same materials
as the rugs and seats, would you?

If you are talking about the crap that Windopes use inside their PCs,
then I have absolutely nothing to discuss, except smile disdainfully
smugly. :-\

-Ramon

Re: What"s the point of not allowing all outgoing traffic by default?

Ramon F Herrera wrote:


> I setup Cisco firewalls for a living, while you obviously don't.


Right. I'm building them myself, and when not I sure know how to avoid Cisco
and Netgear stuff as much as possible.

> When we talk about a "firewall" you do understand that -by definition-
> they have to be in a separate box with an specialized/customized OS,
> don't you? You wouldn't build a car firewall with the same materials
> as the rugs and seats, would you?


Right, but we already talking about application-level filtering. Which means
discretionary and/or mandatory access control mechanisms on processes and
sockets.

> If you are talking about the crap that Windopes use inside their PCs,
> then I have absolutely nothing to discuss, except smile disdainfully
> smugly. :-\

We could also talk about SELinux. It's the same thing there.

Or we could step back a bit and talk about application-layer filtering.
Basically the same issue, any malware can impersonate or even spoof
legitimate clients.

Re: What"s the point of not allowing all outgoing traffic by default?

On 29 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1180473997.491556.90730@o5g2000hsb.googlegroups.com>,
linuxlover992000@yahoo.com wrote:

>Once upon a time I used to have my firewall running in a Linux box
>(old PC consuming at least 150W). I then decided that I need to
>conserve energy and purchased a NETGEAR FVS328 that consumes only 12W.

Was that a measured 150 watts? That's an enormous amount of power for a
pc being used as a firewall. By chance, did that also include a monitor
or display of some kind?

>it seems that the theoretical risk in allowing all outbound traffic is
>worthwhile

With obvious limitations, sure.

>until I find a piece of hardware that consumes 12W-15W and is able to
>run iptables, VPN, DNS proxy, NTP server

It's probably going to be a lot harder now, as the old stuff has largely
disappeared. The firewall at home (cable, dialout backup, masquerading a
number of systems on the LAN) is what is left of a 386SX-16 laptop of
uncertain origins (may be an Acer), with 8 Megs of RAM and an ancient
420 Meg disk. No case, no keyboard, no display. It's drawing about
15 VA, most of which is in that hard disk. I believe in running the
absolute minimum of services _on_ the firewall, so the DNS and NTP
servers are actually on the secondary file server.

>and some additional useful tools (emacs?).

---------------------
"Emacs is a great OS. The only thing it lacks is a decent editor."
-------
It's actually Emacs that is the OS and GNU/Linux the device-driver.
-------
Actually I tried Emacs, but it kept asking for my credit card details to
buy a better computer to run on.
-------
Computers tend to come with at least 512Mb RAM these days. Half for X,
half for emacs, what's the problem?
---------------------

Everyone is always banging away at emacs, but

---------------------
"Thanks to the joint efforts of OpenOffice, Mozilla, and a few others, Emacs
officially entered the category of lightweight utilities." -- kalifa on /.
---------------------

>Thank you all for your replies - you certainly helped me to make a
>decision to allow all outbound traffic by default.

For a _standalone_ firewall, where you have the chance of windoze boxes
behind it getting 0wn3d, a rule that blocks _OUTBOUND_ SMTP except to
the ISP's smart server would not be unreasonable, although you look to be
comcast, and at least _some_ sections of the comcast network are finally
blocking it for you. "tcptraceroute", "hping3" (or hping2) and "mtr" can
be used to check this.

[compton ~]$ whatis traceroute tcptraceroute hping2 hping3 mtr
traceroute (8) - print the route packets take to network host
tcptraceroute (8) - A traceroute implementation using TCP packets
hping2 (8) - send (almost) arbitrary TCP/IP packets to network hosts
hping3 (8) - send (almost) arbitrary TCP/IP packets to network hosts
mtr (8) - a network diagnostic tool
[compton ~]$

Old guy

Re: What"s the point of not allowing all outgoing traffic by default?

On 29 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1180490019.864046.154200@h2g2000hsg.googlegroups.com>, Ramon F Herrera wrote:

>(Moe Trin) wrote:
>
>>>Yours is a philosophical question.
>>
>> No, it's technical and you seem to have missed the point
>
>I you trying to tell us that you cannot possibly grasp the concept of
>a question being philosophical while being technical?

Are you really that lost? You attempt to imply (here, and in other
groups like comp.mail.sendmail, comp.os.linux.(misc|security) some
expertise, but your technical philosophical answer totally misses the
boat.

>I find hard to believe that you cannot accept such simultaneity. Ever
>heard of the wave-particle dual nature of light? Do you also have
>problem accepting it?

I've no idea why you feel that may have even the most remote connection
with the question that was posted. Oh, and on your comp.mail.sendmail
question, use the search engine you are posting from to look through
recent posts to the newsgroup "news.admin.net-abuse.blocklisting" and
you may discover some of what is being used now.

Old guy