On Aug 04, 2024, George at Clug wrote: > > > On Sunday, 04-08-2024 at 16:15 john doe wrote: > > On 8/4/24 06:48, jeremy ardley wrote: > > > > > > On 4/08/2024 12:26 pm, George at Clug wrote: > > >> > > >> If I go to the local coffee shop and connect my laptop to their WiFi, > > >> which incoming and now outgoing ports should I have blocked to ensure > > >> that no nefarious people are able to communicate with my laptop > > > > > > The rules for public networks are very simple. > > > > > > - Allow all outgoing traffic > > > > > > > On a laptop, inbound connections should be restricted unless you want > > services to be accessible on your laptop by way of FWing and and > > securing the services. > > > > Outbound connections is up to you. > > Thanks, John, > > I do like the idea of blocking all outbound connections, and only > opening ports that are required for whatever services I want to use. > > For servers I often do, but for workstations, sadly I am often lazy > and default to allowing all outgoing traffic.
It's perfectly fine for a server or other installation that's setup to do "one thing" -- but the idea just falls over when you want to do "generic things" on the machine. There's just too much out there that's running behind AWS / Cloudflare / etc. that you can't just block them; likewise, new protocols and the like (which, yes, are focused to "the web", but details) will just fail if you only allow certain ports to be reached. As for the (snipped) analogies you made -- they more addressed the ideas of 'security in depth' as a general concept, rather than addressed "outbound firewalls" at all. -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
signature.asc
Description: PGP signature
