Please quote inline, top posting is antisocial.
http://ursine.ca/Top_Posting
Puppy Breath wrote:
> You guys may be right. However, even if they did close all ports, would
> users know if/when it's OK to let something go through? Also, there's over
> 32,000 ports to worry about (65,635 if you look at it terms of TCP and
> UP). I don't see how you could make it "user friendly".
65,535 ports. 131,070 if you consider TCP and UDP ports to be unique.
> Besides, the threats come from outside your own network, not inside. At
> least, they shouldn't be coming from the inside if the rest of your
> security is in place. And what's to keep a piece of malware from sending
> out through port 80, which is always open on everyone's machine?
Not always. Many networks do things like transparent proxying through Squid
(
http://www.squid-cache.net/) or other caching web proxy to reduce
bandwidth usage and do content filtering or banner/pop-up ad-zapping
(
http://adzapper.sf.net/ is good and free for this). This is generally a
good thing, as it reduces web server load as well. I find it odd that more
ISPs don't do server-side ad-zapping for their customers, though.
> I don't know, I think closing all outgoing ports by default would be a
> real nightmare for end users.
Anybody else remember the Trumpet Winsock nightmare and the hoops you had to
jump through to get that to work? Even the various BSDs have open output
by default, and those operating systems have bragging rights for going
years without any security holes in the default install.
> Especially since the threats shouldn't be
> coming from inside in the first place. But again, what difference does it
> make? It only takes a mouse click to change them from Open to Closed.
At least they're finally adding the functionality for those who know they
need it.
--
Paul Johnson
Email and IM (XMPP & Google Talk):
baloo@ursine.ca
Jabber: Because it's time to move forward
http://ursine.ca/Ursine:Jabber