LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

egress filtering? yes!

egress filtering? yes!

Posted Apr 11, 2006 15:51 UTC (Tue) by lutchann (subscriber, #8872)
In reply to: egress filtering? by man_ls
Parent article: Crossplatform virus - the latest proof of concept

You're right, which is why I don't allow connections via port 80 to just any server. All allowed outbound connections from my internal networks are fully specified by source host, destination host and destination port; for the most part this is limited to allowing only connections to a client's servers or VPN endpoint, plus my local DNS and NTP servers. This reasonably well isolates all my internal networks from each other and the Internet, which conveniently solves a lot of problems that IT departments tend to bring up when you request VPN access to their network.

(Log in to post comments)

a bit excessive

Posted Apr 11, 2006 16:06 UTC (Tue) by man_ls (subscriber, #15091) [Link]

So, what do you do when you have a problem in the network and need to look something up on the web?

a bit excessive

Posted Apr 11, 2006 16:34 UTC (Tue) by lutchann (subscriber, #8872) [Link]

I have other networks here besides those I consider "internal"--everything with Internet access is in a DMZ-type network, so laptop+wireless works fine for web and IM. But from the perspective of the internal networks where all the real work goes on, the DMZ is as untrustworthy as the open Internet.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds