On Sun, Aug 4, 2024 at 3:12 AM George at Clug <c...@goproject.info> wrote:
> > > On Sunday, 04-08-2024 at 16:15 john doe wrote: > > On 8/4/24 06:48, jeremy ardley wrote: > > > > > > On 4/08/2024 12:26 pm, George at Clug wrote: > > >> > > >> If I go to the local coffee shop and connect my laptop to their WiFi, > > >> which incoming and now outgoing ports should I have blocked to ensure > > >> that no nefarious people are able to communicate with my laptop > > > > > > The rules for public networks are very simple. > > > > > > - Allow all outgoing traffic > > > > > > > On a laptop, inbound connections should be restricted unless you want > > services to be accessible on your laptop by way of FWing and and > > securing the services. > > > > Outbound connections is up to you. > > Thanks, John, > > I do like the idea of blocking all outbound connections, and only opening > ports that are required for whatever services I want to use. > > For servers I often do, but for workstations, sadly I am often lazy and > default to allowing all outgoing traffic. > > When asked to explain why I want to block outgoing connections, I do find > it difficult to justify but here are a few thoughts: > > 1) I like the principle of making this as hard as possible for the 'bad' > guys. If they break in, they might as well not have it easy. As analogy, I > can have a gate at the front of my house, then I have a dead locked door > (not just a lock from the outside). then if I had valuables, they would be > in a steel safe, and the safe would be bolted to the concrete floor. All of > this will not stop the determined, but why let it be easy. > > 2) Staying with analogies, I like having double locked doors. If someone > breaks in through the window, they have to exit the same way, and not just > walk out through the front/back door, making it bit more difficult to carry > everything out. In IT terms, is someone has gained access to my server via > a service level exploit, they (hopefully) only have that service's level of > access. If the local network is blocked, port scanning is going to be more > challenging, as would a number of other network based attacks. > > 3) I believe a number of exploits, once gain a small footprint, then > create a listening service to allow remote access to the system. If this > cannot be achieved, then again, I have made their lives harder. > > The main challenge as I see it is to ensure no 'bad' guys gain root > access, but as above, until then, make their lives hard as possible to do > anything by limiting and locking down anything you can while still allowing > the system achieve its intended purpose. > > Any comments on the above thoughts? > > George. > Outbound ports are selected randomly. If you block outbound ports, you'll block your ability to communicate with anything over the network. If you want to "block outbound stuff" block all outbound connections to any destination, then allow outbound connections to address ranges you want to connect to, from any local port. You'll find this is an exercise in frustration, however, in today's cloud powered Internet. It's best to follow Jeremy Ardley's advice. -- Chris "If you wish to make an apple pie from scratch, you must first invent the Universe." -- Carl Sagan
