ipfilter outgoing

[Erik Norgaard]

dick hoogendijk wrote:
> It's difficult to program all outgoing filter rules in ipf. Every now
> and then I bumb into a blocked connection that I did want to work in the
> first place. Only because an outgoing port was/is blocked.
> 
> What is the most secure way to do things? Block all outgoing and open up
> what I wnat or can I use i.e. the next rule in a safe way:
> 
> ### pass out quick proto tcp/udp from any to any keep state keep frags
> 
> Any help or suggestions are appreciated. Yes I did read all the ipf help
> files but it dazzles me.

What are you protecting against? If you are the only user, and you trust 
your self, and you can assume that your system has not been compromised, 
then all outgoing connections are legitimate.

Usually you filter incoming connections. Filtering outgoing has the 
effect of limiting the spread of a posible compromise or abuse by 
non-privileged users.

If you want to restrict outgoing, then allow anything below port 1024 - 
if this is too much then read /etc/services. Above 1024 are all the 
non-standard services, kazaa, skype, X, mysql and other stuff.

Beware, that cvsup connects to port 5999, and passive ftp-data connects 
to some port > 1024 depending on server config (however I think default 
is/should be > 49151).

Cheers, Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2