Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request fo

Rich Freeman on 2 Aug 2017 12:37:45 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Date: Wed, 2 Aug 2017 15:37:36 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=9UVXD+iNQ9ftgxB1xJ8mu9zHmJ0YRmc1GZ9evwsKZgc=; b=GVt0OgWgm6MALSd2M0BTluykoDA82aAccME5HChFSMNuKiwsCXBsW0THI4Lm/hJmq+ Pk3SrOM4SHBqemWrfaw+0JnyGkNDgWUrJx7GPrSCPvJRu2o01YcofBzPEaF9aTBy6SRz yM4f9cHbNOZ5kdei543BxNxe+sl5pIeh7D4WZatpAN8c/Ce7tUZPNmMjZLVD7GxGPI0d HQZwrvt5x5JfAxs+cYWXO4dr+lsV95Gt2AbH1ws1c0OrbNo/ChrE+MYhAGYDODXkEK7Q Ux6dSoHRWXTFEUo8pVolgBc+bDHQdHvDw/IfT6NfKO73aexPntYSmMGUKT9ME0XUHpor N+Ow==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Wed, Aug 2, 2017 at 3:30 PM, Lee H. Marzke <lee@marzke.net> wrote:
> I'd think you would open up necessary ports outbound, and if youre geoip
> blocking whitelist countries as needed while blocking the rest, in
> combination with some of the published block lists.
>
> Looks like all that functionality is in the pfBlock module of pfSense but I
> haven't tried it yet.
>
> Not practical to whitelist sites.
>

Well, if you're going to allow anything outgoing to port 80, then I'd
think that just about any kind of malware imaginable could make its
way through that hole.  You can tunnel anything through that, even if
you check that it is really http.  And let's not even get into port
443.

Doing it at the perimeter of a server farm does make complete sense to
me though.  You could definitely lock down everything in both
directions there.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
  - From: "Lee H. Marzke" <lee@marzke.net>

Prev by Date: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Next by Date: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Previous by thread: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Next by thread: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Index(es):
- Date
- Thread