David said: > ...So long as you allow _any_ data (even de-encapsulated over say a > userspace TCP relay) to pass between the Internet and your PC, there > is a way it can be used to compromise you. Dropping ports makes it > marginally harder, but not hard enough for the truely motivated. > > A common example of this folly is to limit people to say 80/443, > which prevents people from doing anything they like. It does > _no_ _such_ _thing_, it's trivial to set up a tunnel over 443 or 80 > and get any access you want. It does require some knowledge, but it's > easy to implement...
Agreed. So, we take one step further along this restrictive path... As Nick said: "...why let any machine other than the mailserver get out on port 25?...") - but it's also possible to extend this logic and restrict outward 80/433 to a proxy server - and set various policies etc on that. With this in place, and access to the proxy server restricted then the cute tricks with 'nc'and similar shouldn't work. - steve ========================================================= http://www.commarc.co.nz (This e-mail has been scanned by MailMarshal)