On 9/29/11 17:46 , Robert Bonomi wrote: >> From: Nathan Eisenberg <nat...@atlasnetworks.us> >> Subject: RE: Synology Disk DS211J >> Date: Thu, 29 Sep 2011 21:58:23 +0000 >> >>> And this is why the prudent home admin runs a firewall device he or she >>> can trust, and has a "default deny" rule in place even for outgoing >>> connections. >>> >>> - Matt >>> >>> >> >> The prudent home admin has a default deny rule for outgoing HTTP to port >> 80? I doubt it. >> > > No, the prudent nd knowledgable prudent home admin does not have default deny > rule just for outgoing HTTP to port 80. > > He has a defult deny rule for _everything_. Every internal source address, > and every destination port. Then he pokes holes in that 'deny everything' > for specific machines to make the kinds of external connections that _they_ > need to make.
Tell me how that flys with the customers in your household... > Blocking outgoing port 80, _except_ from an internal proxy server, is not > necessrily a bad idea. If the legitimte web clients are all configured > to use the proxy server, then _direct_ external connection attempts are > an indication that something "not so legitimate" may be runningunning. > > > >
