News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Whats the use of outbound rules really?
Pages: [1]
Topic: Whats the use of outbound rules really?  (Read 1837 times)
« on: June 22, 2008, 08:23:14 »
Seb74 ***
Posts: 115
Maybe more theoretical than specific M0n0wall-question, but whats the use really?
Arent all client connections using dynamic portnumbers?
When I browse this site right now with FF I have 52754 outgoing (although proxyd in some way through my antivirus so its not going to port 80), but the next time I could as well have 52780 or whatever.
Same thing with all, or almost all, applications I guess.

Servers mostly listen on one single port, 22 for ssh, 80 for http and so on, so easy to control incoming with static firewall rules, but whats the use of firewalling OUTGOING?
Of course, you could block a single pc on your LAN from ever reaching out, but that would have to be every single port then so the port-granularity thing for outgoing I dont get.
Maybe some special apps use specific source-ports for outgoing and those few examples can be blocked then?

Thanks Smiley

EDIT: Application aware personal firewalls is another thing of course, but I mean external ones like M0n0 that only know of IP:Port.
« Last Edit: June 22, 2008, 08:38:55 by Seb74 »
« Reply #1 on: June 22, 2008, 22:51:02 »
cmb *****
Posts: 851
Quote from: Seb74 on June 22, 2008, 08:23:14
Maybe more theoretical than specific M0n0wall-question, but whats the use really?
Arent all client connections using dynamic portnumbers?

For source ports, sure. Destination is another matter entirely.

Egress filtering is a good thing. You should block everything you don't need and only allow what you do. This can prevent certain exploits from working for one. Don't need IRC? Don't allow it and you knocked out some bots' abilities to work. That's just one example. It's also beneficial for log analysis purposes, when you see something getting dropped by your egress rules it's probably indicative of a problem. Maybe an unauthorized application, maybe an owned host.

That's the benefits of egress filtering in a nutshell, I suggest you Google on it, you'll find a lot more info. It's a best practice with any firewall to tighten your egress rules.
« Reply #2 on: June 23, 2008, 11:19:36 »
Seb74 ***
Posts: 115
Ah, thanks, of course thats it Smiley
Block destination port 80 and noone can browse the web.

Thats what some ISP's do then when they try to block popular filesharing applications...they dont block on source since its dynamic, they block on destination....
....and then the people running the servers just changes the port or gives alternative server-ports and that problem is out of the way Wink
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines