Is it recommended to allow all outgoing connections from your
firewall??
pauls at utdallas.edu
pauls at utdallas.edu
Wed May 10 18:55:54 PDT 2006
--On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez <jay2xra at yahoo.com>
wrote:
>
> I've seen most people allow all outgoing traffic
> originating from the firewall itself... Is this really
> recommended?? What if the machine have been
> compromised and the intruder have installed a program
> that let's him access the machine remotely by having
> the program itself to initiate the outgoing connection
> to him thus defying the incoming connection firewall
> ruleset...
>
Because if the machine has been compromised, it doesn't *matter* what the
outgoing ruleset is. Or what anything else is, for that matter.
If I hack your box, one of the first things I'm going to do is install a
rootkit. Then I'm going to wipe the logs of any evidence of my entry (but
leave them intact otherwise), clean my tracks from the shell history file
and remove any other evidence of my presence. "Bypassing" your firewall
rules is the least of my worries.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list