[clug] Are outgoing firewalls of any use?

Paul Wayper paulway at mabula.net
Thu Jul 2 13:09:44 GMT 2009 

On 02/07/09 16:55, Francis Markham wrote:
> Are there any other options for application level blocking rather than port
> level blocking?  SELinux has the reputation of being rather fussy and
> breaking things.  Ideally, something that can be interactively "trained" ala
> Windows desktop firewalls.

<span speech="sarcasm">Because judging a technology based on outdated hearsay 
is always such a reliable way of making a decision</span>.

Seriously, though, interactively "trained"?  You mean like those pop-up 
security questions in Windows that users learn to just click on 'accept' 
without actually reading?  Something which doesn't give you all the detail, or 
gives you everything but makes it hard to read, or better yet offers little 
control so you can only say "this application cannot access the internet" or 
"go right ahead, I trust you...".  In other words, something where you have no 
real control, you have to just use whatever the GUI designer decided to write.

Or do you mean like SELinux's 'permissive mode', which reports the errors but 
still allows the access?  Where you can then use something like 'audit2allow' 
to convert the error messages to a text file, which you can then edit and 
refine into a real security policy.

I agree with the idea of outbound firewalls but my observation is that it's 
going to be the details which determine how the thing is set up.  Some people 
might want an absolutely locked-down outgoing policy that allowed ports 80, 
443 and 53 outgoing and that's it; some might simply want to bar all traffic 
on certain ports that the internet should never allow traffic on (e.g. 
NETBIOS); some might want to bar access to entire IP ranges as well, etc. etc. 
etc.  The possibilities are endless.

As to whether they're any use, once again it comes down to risks and costs. 
If you're running a bunch of unprotected Windows machines in your network, 
then locking down outgoing requests makes a lot of sense.  If you're running a 
couple of Linux hosts, then leaving it mostly open will be far easier.  If you 
love a lot of fiddling with config files and rules databases, then locking it 
down is going to appeal.  For most people with decent in-network security, 
leaving outgoing access open will not make that security any worse.

Have fun,

Paul

More information about the linux mailing list