[Wylug-help] firewall issues

[Adam Greenwood]

The first thought that comes to mind is, if you have a linux box and a 
windows box both behind your ADSL firewall, why worry about outgoing 
traffic from the linux box? If the windows box can see the data via 
samba you'll be padlocking your side door and leaving the front door 
wide open. If you do have sensitive data on the linux box, what you say 
is true though, if someone gets to it somehow they wouldn't be able to 
connectly out directly.

Assuming you do want to block outbound traffic from the linux box, you 
could either block traffic leaving your linux box with any destination 
other than your local network, or at the router you could block traffic 
from your linux box to anywhere (or to outside, it should be the same if 
your router is your gateway). The router option would be better as it 
prevents any traffic leaving your linux box even if your box has been 
rooted - a firewall on the box can be turned off if the box has been 
compromised. However, if your linux box cannot be seen from outside, all 
it does is protect you from possible consequences of a succesful attack 
on your linux box via a worm/virus etc on your windows box. In that 
case, they can use the windows box to get back out... or, I suppose it 
is theoretically possible to get a worm-style compromise via windows 
which gets itself onto the linux box but without any control, so all it 
can do is send out..? In the end locking everything down that can be 
locked down can't be a bad idea.

I use a DMZ for machines that have to be exposed to the public network, 
and they are still behind a firewall, but are also seperated from the 
'internal' office part of the network by another firewall which lets 
nothing in at all. You can get from inside to the DMZ, you can get from 
outside to specific ports in the DMZ, but you can't get anything from 
the DMZ to inside - you have to push or fetch things from inside. (I 
mean establish connections to when I say 'get to', the return traffic 
for established connections is allowed).

Beyond that, I have a number of machines that have to see the outside 
from inside, including windows desktops (it's true I'm afraid), so I 
don't currently worry about the linux boxes being able to connect 
outwards - if someone gets onto them it has to be via a windows box, 
which has access to my sensitive data via samba. But, maybe I'll look 
into it some more and think about whether to lock down stuff that seems 
like it's not a problem, just in case.

I should say that I'm a server guy with some firewall knowledge, not a 
security/firewall guy. I'd be interested in whether a security guru 
could suggest a more compelling reasone for blocking outbound traffic 
from firewalled linux boxes when there are windows boxes for which it's 
allowed.

All interesting stuff anyway.

HTH,

Adam

Justin Ware wrote:

> Hi,
>
> I have a question related to using firewalls in Linux. I'm using SuSE 
> 10.0  and the firewall I'm running (unsurprisingly) is SuSEfirewall2. 
> The box is  on a small home network. Connection to the internet is via 
> an  ADSL-modem/router/hub-thingy using NAT (no port forwarding, no 
> DMZ).  There's another windows PC using the hub. The Linux box is not 
> the  firewall to the internet for the windows box.
>
> I understand how to configure the blocking of incoming traffic. I've 
> set  the machine up as a Samba server, works fine.
>
> I've read around the subject of external, internal and demilitarized 
> zones  for the firewall and I *believe* that's mainly concerned with 
> using the  Linux box as the firewall for a network. So I could block 
> outgoing traffic  from machines behind the firewall.
>
> Is there a way I can block local outgoing traffic from the Linux box? 
> So  if there is a trojan sending out my sensitive information** then 
> it will  be blocked. I don't *believe* it's doing that by default.
>
> I could of course block it at the router (after reading the manual).
>
> Thanks,
>
> J.
>
> ** recipes, underwear size, high score on breakout etc
>