output rules suggestions please

Anders Fugmann email hidden
Fri Jul 25 08:47:48 CEST 2003

Craig Reeson wrote:
> guys,
> I've been doing some experimentation  and have realised that if my firewall
> system becomes compromised then output rules could come in rather handy.
I hope this has not happend.
> Could I ask ppl to post their output rules or their suggestions.

If your firewall is compromised there is little you can do. What you 
want is for your firewall to be totally shielded off. Do not run any 
services exposed to the internet on the firewall, and only allow ssh to 
the firewall from thrusted machines behind the firewall itself.

All machines with public services should be placed in a DMZ. The DMZ 
should be carefully shilded, allowing as little traffic as possible 
(port and ip wise) to go in/out on the internet. For example, a 
mailserver should only be able to contact internet hosts on port 25, and 
should only be accessable on port 25. Also I recommend having a DNS in 
the DMZ which all machines in the DMZ uses. It you a paranoid then put a 
firewall on each machine in the DMZ too.

When designing your network/firewall then always think of what will 
happen if one of your mashines is compromised and how you can limit the 

Hope it helps.
Anders Fugmann

> Thanks,
> Craig Reeson  RHCE
> Senior Engineer
> Bluechip Infotech
> Ph. (02) 8745 8465
> Mob. 0413 018602

More information about the fiaif mailing list