Robby Workman wrote:

> On 2006-01-06, Ronny Prinse <rprinse@planet.nl> wrote:
>> Robby Workman wrote:
>>
>>> On 2006-01-05, Ronny Prinse <rprinse@planet.nl> wrote:
>>>> Hello everybody,
>>>>
>>>> My pc is behind a hardware router with NAT, but i just want to secure
>>>> my outbounnd connections. Any recommendations on which rules I have to
>>>> focus?
>>>>
>>>> I was googling for firewall log analyzers, but the most aren't that
>>>> recent anymore and i just want something simple. Any tips?
>>>
>>>
>>> I'm not sure what you're asking here. On one hand, it sounds as if
>>> you want to do some filtering of what's leaving your computer/LAN,
>>> but then your second paragraph sounds as if you want something like
>>> Chris suggested in his reply (snort, et al).
>>>
>>> Which is it, or is it both?
>>>
>>
>> I'm sorry if I was unclear. I meant both. It should be considered as 2
>> questions :P I was looking for a simple log analyser to debug my
>> firewall, which i'm creating to give a little bit security to my outgoing
>> connections, not a php/mysql/perl/web frontend.
>
>
> Well, I'm going to ramble a bit... :-)
>
> If your computer is behind a router which also serves a firewall, then I
> wouldn't be too concerned about reading logs. IMHO, packet filtering
> logs don't have much use except for debugging purposes (and satisfying
> curiosity about what's getting hit the most).
>
> If I understand you correctly, you want to filter outbound traffic
> from the box in question using iptables. That's certainly do-able, but
> I question the benefits of doing so. If you want application-level
> filtering, you'll need to look into layer 7 filtering (l7) which is
> available as an add-on to iptables (netfilter patch-o-matic) or a
> proxy, and proxy will be your best bet, as l7 filtering introduces
> some serious overhead.
> Furthermore, OUTPUT filtering is of limited usefulness anyway unless
> you have untrusted users on the box, which is a problem in itself, as
> anyone who gains root access on the box (which is trivial for a local
> user) can easily disable OUTPUT filtering.
>
> Was I totally off base here?
>
> RW
>

I think you understood me. I am the only user, as it is my pc, so I have
nothing to do with untrusted users. I just wanted to make sure I'm safe
behind NAT of the router as I don't know if that is safe enough for normal
daily use. I dan't want to have a false sense of security. Trojans on my pc
for instance can simply make a connection to the outside. Not that it is
very likely that my pc is infected trojans offcourse :P I think it's too
much overhead to go that far (layer7 filtering) I really appreciate your
help Robby thank you!

--Ronny