On 3 Jul 2005, Steve Kemp wrote:
> On Sat, Jul 02, 2005 at 04:46:29PM -0400, KC wrote:
[...]
> One thing did stand out though, you don't allow outgoing connections
> generally. These lines:
>
>> iptables --policy OUTPUT DROP
>> iptables -t nat --policy OUTPUT DROP
>> iptables -t mangle --policy OUTPUT DROP
>
> They seem to say "no output except that which is explictly allowed".
>
> For a big network I too would restrict outgoing connections, but for
> a home machine with only trusted hosts? It's an additional complication
> which doesn't gain you much.
>
> (Sure if you had a trojan which phoned home, or tried to compromise
> other hosts .. it would help. But .. in general it less useful than
> it appears).
...you mean, like every one of the increasingly popular remote control
trojans that infest Windows machines?
Alternately, the variety of IRC remote-controlled things that get
installed after some automated exploit of a hole in your Linux/Unix
machines?
Believe me, you *do* benefit from having this sort of protection for
small home network -- in some cases, *more* than you do for large
organisations, since they often have rules to stop people doing (too
much) stupid stuff...
Daniel
--
Nothing is more beautiful than the loveliness of the woods before sunrise.
-- George Washington Carver
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment