On Monday, 05-08-2024 at 23:27 Dan Purgert wrote:
> On Aug 04, 2024, George at Clug wrote:
> >
> >
> > On Sunday, 04-08-2024 at 16:15 john doe wrote:
> > > On 8/4/24 06:48, jeremy ardley wrote:
> > > >
> > > > On 4/08/2024 12:26 pm, George at Clug wrote:
> > > >>
> > > >> If I go to the local coffee shop and connect my laptop to their WiFi,
> > > >> which incoming and now outgoing ports should I have blocked to ensure
> > > >> that no nefarious people are able to communicate with my laptop
> > > >
> > > > The rules for public networks are very simple.
> > > >
> > > > - Allow all outgoing traffic
> > > >
> > >
> > > On a laptop, inbound connections should be restricted unless you want
> > > services to be accessible on your laptop by way of FWing and and
> > > securing the services.
> > >
> > > Outbound connections is up to you.
> >
> > Thanks, John,
> >
> > I do like the idea of blocking all outbound connections, and only
> > opening ports that are required for whatever services I want to use.
> >
> > For servers I often do, but for workstations, sadly I am often lazy
> > and default to allowing all outgoing traffic.
>
> It's perfectly fine for a server or other installation that's setup to
> do "one thing" -- but the idea just falls over when you want to do
> "generic things" on the machine.
"server that's setup to do "one thing" - this is my use case.
>
> There's just too much out there that's running behind AWS / Cloudflare /
> etc. that you can't just block them; likewise, new protocols and the
> like (which, yes, are focused to "the web", but details) will just fail
> if you only allow certain ports to be reached.
I do not use AWS / Cloudflare / etc, so I am not sure what you mean by "you
can't just block them; likewise, new protocols and the like (which, yes, are
focused to "the web", but details) will just fail if you only allow certain
ports to be reached."
The whole idea of blocking ports other that the ports required for the services
being hosted by the server, it to have all other ports fail to be reached.
Sorry, but I do not understand what it is you are concerned about? I feel
there is something I may have missed, that could be important.
>
> As for the (snipped) analogies you made -- they more addressed the ideas
> of 'security in depth' as a general concept, rather than addressed
> "outbound firewalls" at all.
>
>
>
> --
> |_|O|_|
> |_|_|O| Github: https://github.com/dpurgert
> |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
>
