From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: OUTPUT filtering
Date: Thu, 14 Jul 2005 17:56:21 +0200 [thread overview]
Message-ID: <42D68B25.6010305@mnemon.de> (raw)
In-Reply-To: <42D6589E.5090707@ufomechanic.net>
Amin Azez schrieb:
> Quite so, but output filtering can also be applied to a
> firewall/router/bridge with no user accounts.
Definitely this is true. But why would you want to apply output
filtering to a firewall,..., without any user account ? I can't see the
point in this, if we are talking about general output filtering like
having a DROP policy in OUTPUT.
Only locally generated packets go through OUTPUT and most likely you
want this traffic (proxies,...). Given that there is no config error, if
there is unwanted traffic on the box - let's say IRC - chances are best
that the box is compromized and as there is no user account, the
intruder has root priveleges. So he is perfectly able to circumvent any
filtering. So, output filtering didn't help.
Ofcourse there are good reason for single OUTPUT rules - this list
helped me to remember identd, which caused a responding delay of about
30s - but this is not generally.
May be I'm missing important views, but I can't see that output
filtering makes sense.
Have a nice time,
Joerg
prev parent reply other threads:[~2005-07-14 15:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-13 9:05 Ip_conntrack_ftp with PASSIVE FTP does not work Chandra.Vempali
2005-07-13 9:38 ` Jörg Harmuth
2005-07-13 10:14 ` Jan Engelhardt
2005-07-13 14:45 ` OUTPUT filtering (was: Re: Ip_conntrack_ftp ...) /dev/rob0
2005-07-14 12:20 ` OUTPUT filtering Amin Azez
2005-07-14 15:56 ` Jörg Harmuth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42D68B25.6010305@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox