Lee H. Marzke on 2 Aug 2017 12:30:19 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]

I'd think you would open up necessary ports outbound, and if youre geoip blocking whitelist countries as needed while blocking the rest, in combination with some of the published block lists.

Looks like all that functionality is in the pfBlock module of pfSense but I haven't tried it yet.

Not practical to whitelist sites.

Lee Marzke.     <Lmarzke@4aero.com>
Sent from phone

From: Rich Freeman <r-plug@thefreemanclan.net>
Sent: Aug 2, 2017 2:40 PM
To: Thomas Delrue
Cc: Philadelphia Linux User's Group Discussion List
Subject: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]

On Wed, Aug 2, 2017 at 2:08 PM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
> On August 2, 2017 1:42:26 PM EDT, Rich Freeman <r-plug@thefreemanclan.net>
> wrote:
>> So, do you whitelist every individual web server you browse?  Oh, and
>> I assume you proxy those requests to check the URLs because one of
>> those virtual hosts could be also hosting malware on some other
>> domain?
> Believe it or not but I actually do have something along those lines in
> place. It's more complex than just this but once running, it's rather nice
> (and to rsk's point, hardly any maintenance).

Do you simply not have any desktop web traffic on your network?
Whitelisting every domain you visit in a browser sounds like anything
but "hardly any maintenance."

Sure, I could see doing this on a firewall protecting a server farm
where you have no desktop traffic.  Doing it in general for outbound
desktop traffic seems like it would be an exercise in frustration for
admins and users alike.  I wouldn't want to deal with this and I'm the
only user on this network...

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug