On Monday, 05-08-2024 at 23:27 Dan Purgert wrote:
> On Aug 04, 2024, George at Clug wrote:
> >
> >
> > On Sunday, 04-08-2024 at 16:15 john doe wrote:
> > > On 8/4/24 06:48, jeremy ardley wrote:
> > > >
> > > > On 4/08/2024 12:26 pm, George at Clug wrote:
> > > >>
> > > >> If I go to the local coffee shop and connect my laptop to their WiFi,
> > > >> which incoming and now outgoing ports should I have blocked to ensure
> > > >> that no nefarious people are able to communicate with my laptop
> > > >
> > > > The rules for public networks are very simple.
> > > >
> > > > - Allow all outgoing traffic
> > > >
> > >
> > > On a laptop, inbound connections should be restricted unless you want
> > > services to be accessible on your laptop by way of FWing and and
> > > securing the services.
> > >
> > > Outbound connections is up to you.
> >
> > Thanks, John,
> >
> > I do like the idea of blocking all outbound connections, and only
> > opening ports that are required for whatever services I want to use.
> >
> > For servers I often do, but for workstations, sadly I am often lazy
> > and default to allowing all outgoing traffic.
>
> It's perfectly fine for a server or other installation that's setup to
> do "one thing" -- but the idea just falls over when you want to do
> "generic things" on the machine.
>
> There's just too much out there that's running behind AWS / Cloudflare /
> etc. that you can't just block them; likewise, new protocols and the
> like (which, yes, are focused to "the web", but details) will just fail
> if you only allow certain ports to be reached.
>
Dan, I would like to apologise. I have been 'caught in my thinking', about past
days when I was using quite simple, in-house hosted, systems where you had full
control, and responsibility for all security implementations.
I have not used the services of AWS or Cloudflare. I have only once used a
CLOUD hosted VM (OpenStack) and it was not much different to using our in-house
servers.
Now I just tinker at home, hence I am not in the mind set that comes with using
large commercial services like Cloudflare or AWS.
Is it possible to be aware of all the ports required by systems/services like
"AWS / Cloudflare / etc", such that it is possible to ensure any firewalls that
are put in place do not inhibit the features of these systems?
I am wondering how much direct control of security one looses when using third
party services like Cloudflare.
George.
> As for the (snipped) analogies you made -- they more addressed the ideas
> of 'security in depth' as a general concept, rather than addressed
> "outbound firewalls" at all.
>
>
>
> --
> |_|O|_|
> |_|_|O| Github: https://github.com/dpurgert
> |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
>
