The only outbound ports that should be allowed are ones that are known to be necessary for a business application. It should be locked down by source and destination IP address/subnet too.
If you allow wide open outbound DNS or SSH that can become a security hole. Many worms or trojans make outbound connections to download additional exploit tools. They could make those connections using TFTP outbound through the common DNS port (udp 53). If those connections are restricted IT doesn't have to worry about that being an attack vector.
If you need outbound SSH in order to do your job or to do your job better, you should be able to make the case with your manager. IT can poke a hole just for you to have this business related outbound access.
That would be sweet. I haven't looked into it. I don't know if they use perl or php or what for the web interface. You're right though, it probably isn't that involved.
But one of the neat things about IPcop is that it's one of them open source things. So while youre quite correct that the pretty GUI doesnt have an interface for egress filtering, you *can* hop into the shell and add in the iptables commands of your choice.
True. And I have done this with my own Smoothwall box. It would be nice to have this in the GUI. I believe it must be there before either of these firewall packages can claim that they can/should be used in business enviornments as is.
To answer your next comment, I am not proficent enough at programming to offer to add these fuctions to the GUI. I can only be a critic...
Let me clarify my last post. If a machine on your IPCop/Smoothwall protected network is compromised, then any outbound connections that these worms/virus/trojans/attackers make, will successfully traverse the firewall.
In the case of a worm like Slammer, it will be able to further propogate, Nachia will be able to flood your ISP connection, an attacker will be able to download a toolkit, etc...
The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound. All traffic originating on the "Green" (inside or internal) interface is permitted. Nachia and Slammer will fly right through this config. Any worm or virus or trojan that tries to use TFTP to download more tools will also be successful.
Permitting only the traffic that needs to traverse a firewall IN ALL DIRECTIONS is a basic firewall/security concept.
I was on a conference call one time with a male network engineer from a different division of our company and a female enginner from a managed service provider. She needed to log in to one of his routers for some troubleshooting so she askes what his password is.
After a 4-5 second pause... Poontang.
I don't think I got to the mute button fast enough!
This is one of the smartest "games" I have ever played. Definitely not for everyone, although I think many here at/. would find it interesting. I don't think I've seen it mentioned here before.
LCD's of today are more than capable of keeping up with you while playing FPS games. I bought my wife a cheap LCD and it looks great during Quake3.
Optical mice are WORLDS better than ball mice at everything!! My latest Logitech inspects my mouse pad 1500 times a second and the USB interface to my PC has plenty of bandwidth to get that information to the OS/FPS game. Ball mice...
During snow you will experience signal loss, especially if your dish is at a higher angle of elevation. This is because snow will collect on the reflecting surface, blocking the signal.
The higher your dish angle the nearer you are to the equator the less snow you should see.
Having used Mythtv for the past month, I am surprised to not see this app in the list. Easily the coolest computer application I have ever used - let alone it being open-source.
I just ran into the same thing. The hinges on my laptop screen can no longer hold me PERFECT LCD screen vertical. ~$600 to replace the LCD/hinges.
Jerks.
"Majority of security issues come not from buffer overflows in the application code or similar stuff, but from dumb users clicking on e-mail attachments and downloading wicked screensavers."
You mean like attachments that contain virii that exploit buffer overflows in the application code?
....Restricting unnecassary outbound traffic does help prevent viruses and worms from entering or infecting the network. It is a very good idea and I suggest to all of my customers that they do so.
Several worms have attempted outbound tftp file transfers upon infection. They do this to get more software to further infect/exploit a host.
Patching is also critical, but a simple rule of thumb regarding firewalls (common sense regarding firewalls actually) is that you allow only the traffic that is required to get through the firewall - in every direction. That is as tight as the firewall can get and that is what you want.
Granted, this is not any more fancy than all the other solid state MP3 players, it should still not be compared to the iPod or any other non-solid state players.
I don't see how your math is at all relevent. If I am in the market for a small (in my front jeans pocket and don't know about it small), cheap (under $200) MP3 player, how is the iPod coming into the equation? It isn't, and this is the type of player for someone with those requirements.
It could have 300MB per $1, but if it costs $500 to begin with, it is out of my range.
Slashdot Mirror
That was fantastic. Thank you. LOL
The only outbound ports that should be allowed are ones that are known to be necessary for a business application. It should be locked down by source and destination IP address/subnet too.
If you allow wide open outbound DNS or SSH that can become a security hole. Many worms or trojans make outbound connections to download additional exploit tools. They could make those connections using TFTP outbound through the common DNS port (udp 53). If those connections are restricted IT doesn't have to worry about that being an attack vector.
If you need outbound SSH in order to do your job or to do your job better, you should be able to make the case with your manager. IT can poke a hole just for you to have this business related outbound access.
Turning SSID broadcast on will vastly improve roaming performance regardless of client hardware/software.
There are many who still feel that disabling SSID broadcast is an effective security measure (it isn't) so their wifi performance suffers.
Google for wp_ssid_hiding.pdf...
That made me laugh out loud. I wish I had mod points right now.
I think he was being sarcastic chief...
What does moral relativism have to do with this? I would say nothing.
That would be sweet. I haven't looked into it. I don't know if they use perl or php or what for the web interface. You're right though, it probably isn't that involved.
But one of the neat things about IPcop is that it's one of them open source things. So while youre quite correct that the pretty GUI doesnt have an interface for egress filtering, you *can* hop into the shell and add in the iptables commands of your choice.
True. And I have done this with my own Smoothwall box. It would be nice to have this in the GUI. I believe it must be there before either of these firewall packages can claim that they can/should be used in business enviornments as is.
To answer your next comment, I am not proficent enough at programming to offer to add these fuctions to the GUI. I can only be a critic...
Let me clarify my last post. If a machine on your IPCop/Smoothwall protected network is compromised, then any outbound connections that these worms/virus/trojans/attackers make, will successfully traverse the firewall.
In the case of a worm like Slammer, it will be able to further propogate, Nachia will be able to flood your ISP connection, an attacker will be able to download a toolkit, etc...
The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound. All traffic originating on the "Green" (inside or internal) interface is permitted. Nachia and Slammer will fly right through this config. Any worm or virus or trojan that tries to use TFTP to download more tools will also be successful.
Permitting only the traffic that needs to traverse a firewall IN ALL DIRECTIONS is a basic firewall/security concept.
ID3-TagIT
http://www.id3-tagit.de/english/index.htm
This program is great. Filename to tag, tag to filename - it makes it very easy. I cleaned up 11 Gig in 5 or 6 hours.
I was on a conference call one time with a male network engineer from a different division of our company and a female enginner from a managed service provider. She needed to log in to one of his routers for some troubleshooting so she askes what his password is.
After a 4-5 second pause... Poontang.
I don't think I got to the mute button fast enough!
Should I throw in the SED joke - Smoke Emitting Diodes?
This does not currently offer the pagerank bar, which is the only real use for the Google Toolbar with Mozilla, IMHO.
This is one of the smartest "games" I have ever played. Definitely not for everyone, although I think many here at
Here is the link: mindrover.com
Here is some more information.
Both of your statements are valid, 3 years ago.
LCD's of today are more than capable of keeping up with you while playing FPS games. I bought my wife a cheap LCD and it looks great during Quake3.
Optical mice are WORLDS better than ball mice at everything!! My latest Logitech inspects my mouse pad 1500 times a second and the USB interface to my PC has plenty of bandwidth to get that information to the OS/FPS game. Ball mice...
During snow you will experience signal loss, especially if your dish is at a higher angle of elevation. This is because snow will collect on the reflecting surface, blocking the signal.
The higher your dish angle the nearer you are to the equator the less snow you should see.
Having used Mythtv for the past month, I am surprised to not see this app in the list. Easily the coolest computer application I have ever used - let alone it being open-source.
I just ran into the same thing. The hinges on my laptop screen can no longer hold me PERFECT LCD screen vertical. ~$600 to replace the LCD/hinges. Jerks.
Some of us have been using DNS to get through some really draconian firewalls for ages
How so?
Do you have a proxy server offsite that listens on port 53? If so, you are not using DNS, you are using a proxy server that listens on port 53.
"Majority of security issues come not from buffer overflows in the application code or similar stuff, but from dumb users clicking on e-mail attachments and downloading wicked screensavers."
You mean like attachments that contain virii that exploit buffer overflows in the application code?
....Restricting unnecassary outbound traffic does help prevent viruses and worms from entering or infecting the network. It is a very good idea and I suggest to all of my customers that they do so.
Several worms have attempted outbound tftp file transfers upon infection. They do this to get more software to further infect/exploit a host.
Patching is also critical, but a simple rule of thumb regarding firewalls (common sense regarding firewalls actually) is that you allow only the traffic that is required to get through the firewall - in every direction. That is as tight as the firewall can get and that is what you want.
Granted, this is not any more fancy than all the other solid state MP3 players, it should still not be compared to the iPod or any other non-solid state players.
I don't see how your math is at all relevent. If I am in the market for a small (in my front jeans pocket and don't know about it small), cheap (under $200) MP3 player, how is the iPod coming into the equation? It isn't, and this is the type of player for someone with those requirements.
It could have 300MB per $1, but if it costs $500 to begin with, it is out of my range.
"I was going about 130MPH up hwy 280"
I drive 10 to 15 over the speed limit regularly. I am a speeder. I am not an "idiot" as you once were.
There is a big difference in regards to saftey IMO.