James Stevenson wrote: >> > > useful in this environment? >> > Many folks like that one. I use shorewall. You can always block >> > outgoing ports that you dont use. If you dont run an ftp server, block >> > port 20 and 21, etc. >> > >> That is why I really like the "default deny" mentality. Start by >> blocking all incoming and outgoing new connections. Allow only incoming >> connections for services that you know you are running. Allow only >> outbound connections for things you know you want to do. If you only >> browse the web and use ssh, then only allow those ports. Many badware >> applications use port 80 or port 443, since those are very rarely >> blocked. For bonus points, block those and setup and authenticating >> proxy. > > The default deny policy can also open up a security hole on its own. > Be aware that the default rate limited reject policy can be better. > > Even for blocking 80 / 443 this is why some places use proxy's cause you > block everything else but allow the proxy. It can be even more secure to > use a transparent proxy because something on port 80 is forced to talk > http instead of another protocol.
Be advised that it is a bad idea to set up a transparent authenticating proxy as this will utterly break HTTP authentication. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
