September 22nd, 2005 12:06 AM
Out going port blocking
Would it be advisable to block all ports that aren't used from passing through my firewall. I ask this because i think it might help to block some malicious programs from downloading more stuff. if this is an incorrect assumption then please correct me.
The answer to all how to questions: Very carefully with a large stick.
\"Dogs f***ed the Pope. No fault of mine.\" Hunter S. Thompson
September 22nd, 2005 12:48 AM
Block all ports In and Out. Open only those needed. Remember that ports 80, 8080, are used by malicious programs. Stateful Packet inspection, IDS and Antivirus are necessary to prevent out going packets.
As to incoming packets. A firewall, properly configured will only accept packets - on a port - from an IP that IT (The firewall / Computer) initiated.
September 22nd, 2005 02:01 AM
egress filtering can be a good thing. You'll need to assess your network and your own needs to find out what needs to be blocked and if it will cause any kinds of problems.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
September 22nd, 2005 12:44 PM
Absolutely.... If you don't _need_ it, BLOCK IT, period.
My work network blocks all high ports and all unneeded low ports. There are a couple of exceptions due to bad planning on the part of others, (a local library runs it's SSL on a 9000 port ), and they are allowed but only from those that need to use them - all other clients are blocked.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
September 22nd, 2005 12:50 PM
One thing to remember is:
Trojans for example like Back Orifice.... If those are used much now, not sure, but you can tell them to use any port you want, so your best bet is, besides taking Juridian's advice, re-analyze what you need. If you aren't running any servers at all, you really don't have much of a need for ports being open, however, Anti Virii software, needs ports to do updates.
And if you think that's stupid, THEY ALLLLLL USE VARYING PORTS....
Heh, anyway, take that into consideration, and think over a strategy that works for you.
Personally, I use DMZ for whatever I need on the Internet. Everything else is behind two routers and a switch and each machine is software firewalled.
September 22nd, 2005 05:15 PM
Dont get fooled into blocking all the ports that trojan/worms etc use though, a lot of the more harmful/sophisticated ones use ports that would be open on a network/host anyways, 25,110,21, 69, etc
Programs like netcat can hijack any port it wants(or is told to!) and take over a connection, if you can get it running on a target
Just beware that blocking ports whilst a good security practise is not the only thing to do, you still need to run all the other stuff in conjunction with it. Firewall, AV, SW scanner, AW scaner etc
September 22nd, 2005 11:16 PM
You should also look into using a proxy such as Squid..
\"Poor planning on your part does not necessitate an emergency on my part.\" -Unknown