| sean finney on 10 Dec 2004 17:56:03 -0000 |
|
On Fri, Dec 10, 2004 at 12:04:55PM -0500, Tobias DiPasquale wrote: > I will say that most people do just leave the OUTPUT chain's policy to > ACCEPT and never touch it, but this leaves them open to blasting out > attacks against other networks when internal machines get zombied. i'm going to second tobias' opinion on this matter. if you're seriously concerned about the security of your system, putting blocks on outgoing traffic is a very good idea. as an example of an extreme: on the production machines i take care of, both outgoing and incoming traffic is filtered not only based on the ports in question, but also the source and destination addresses. for everything. so, as a result, no network traffic happens between the machines and anything else on our network or the internet that i don't know about. you can't even ssh between most of the machines, let alone get to anything on the internet. furthermore, you can set up iptables to log the packets that it blocks, which is a great intrusion detection tool if placed in your OUTPUT chain. typically the first thing that an attacker does after they've made their way into your machine is either "phone home" or download extra software for your system. in either case, it involves outgoing traffic that could be blocked or at least audited, which would alert you of suspicious activity. on the other hand, it can be kind of a headache if it's your personal workstation... in which case you probably want something a little more relaxed, though the same concepts can be applied. sean Attachment:
signature.asc
|
|