Synology Disk DS211J
bonomi at mail.r-bonomi.com
Fri Sep 30 00:46:09 UTC 2011
> From: Nathan Eisenberg <nathan at atlasnetworks.us>
> Subject: RE: Synology Disk DS211J
> Date: Thu, 29 Sep 2011 21:58:23 +0000
> > And this is why the prudent home admin runs a firewall device he or she
> > can trust, and has a "default deny" rule in place even for outgoing
> > connections.
> > - Matt
> The prudent home admin has a default deny rule for outgoing HTTP to port
> 80? I doubt it.
No, the prudent nd knowledgable prudent home admin does not have default deny
rule just for outgoing HTTP to port 80.
He has a defult deny rule for _everything_. Every internal source address,
and every destination port. Then he pokes holes in that 'deny everything'
for specific machines to make the kinds of external connections that _they_
need to make.
Blocking outgoing port 80, _except_ from an internal proxy server, is not
necessrily a bad idea. If the legitimte web clients are all configured
to use the proxy server, then _direct_ external connection attempts are
an indication that something "not so legitimate" may be runningunning.
More information about the NANOG