Forgot your password?
typodupeerror
Spam The Internet Hardware

Reverse Firewalls As An Anti-Spam Tool 513

Posted by timothy
from the to-each-his-own dept.
An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""
This discussion has been archived. No new comments can be posted.

Reverse Firewalls As An Anti-Spam Tool

Comments Filter:
  • by Anonymous Coward
    I have Kerio Personal Firewall on my Windows machine and it prompts me about every outgoing connection (to learn it, or allow it, or block it).
    • by Anonymous Coward
      thank you for reminding me how good it is not using windows.
    • It's normal, but it's also very annoying having to click yes/no everytime a process wants to create an outgoing connection. What the author suggests, is a hardware-based firewall (ie one that can't be switched off by a new generation virus - the current ones will terminate for instance any antivirus software they find running), that limits how many emails you can send per minute or hour.
    • by Christopher Cashell (2517) on Wednesday July 21, 2004 @02:23AM (#9757214) Homepage Journal
      Even for LAN firewalls, this is, or should be, normal behavior.

      I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.

      Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

      If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.

      Come on, guys. Let's all do our part to stop spam. Every little bit helps.
      • by obeythefist (719316) on Wednesday July 21, 2004 @03:31AM (#9757422) Journal
        Couple of relevant things:

        Windows XP SP2 will include a reverse firewall that is enabled by default. Unfortunately it will be released, for compatibility reasons, after Duke Nukem Forever.

        Principle Scientist for Verisign? The same company with the terrorists/geniuses (what's in a name?) who decided to hijack the DNS system and send it to a search portal that pays them money each time it gets used? Thanks a lot. I'll take advice from a great company like that.
      • Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

        Sorry, can't do that. I frequently use telnet out of workstations on my network to connect to port 25 on other machines to verify SMTP setups are correct there.

        I also use P2P software that has random port assignments, so a small proportion of the users I connect to with that will be on port 25, and I'd rather not interfere with
        • No offense, but these are rather poor excuses.

          Sorry, can't do that. I frequently use telnet out of workstations on my network to connect to port 25 on other machines to verify SMTP setups are correct there.

          Okay, so you create exception rules for the *specific* machines that you will be working from. Either that, or you connect to one central machine and do the majority of your testing from there, by remote access (ssh, VNC, whatever).

          Personally, I'd suggest the latter, as it allows you to easily set u
    • yeah just like all the other "personal firewalls".

      I believe there is a future for this afterall:

      "welcome to the setup of your personal firewall. To install some personal settings please anwswer the following questions:

      - Do you click on banners.
      Yes / no / Banners?

      - Do you use floppies and CD's provided by your idiot neighbour.
      Yes / no / also from my uncle
      - Is your default webpage www.msn.com.
      Yes / no / Banners?
      - You have created a personal webpage about your hobbies.
      Yes / no / with my cat
      - Running Outloo
  • since they monitor traffic going in and out of the PC.
    • by Mistlefoot (636417) on Wednesday July 21, 2004 @01:18AM (#9756901)
      Absolutely.

      I'm not sure this is an option that the average windows user (and almost anyone sending out spam on their virus laden pc uses windows) would find simple.

      Working as a support tech and dealing with mainly connectivity issues, I've learned that the number one issue blocking users from desirable online actities or access itself is a firewall. It used to be that the first troubleshooting step was to check the connections. Now it's become, check for firewalls.

      I'm not sure the average windows user would find this a simple solution.
    • True, but ultimately the problem comes back to the millions of Joe Averages out there with broadband connections and cheap yet overpowerful computer system any geek will tell you they just plain don't need. There are people who still send out and forward chain letters (not to mention open up suspicious, no-doubt-virus-ridden, e-mails) which already adds to the problem of spam messages. What are the chances of these Joe Averages collectively thinking 'hey, maybe I should stop leaving my computer on 24/7 and
      • This is a good point, because for Joe Average they maybe able to use their computers, but they certainly do not understand how they work. And to keep a computer running well, you need to understand how they work, or have someone close to them that knows how they work to maintain them. When it comes to firewalls and such, a more advanced computing topic, its hard enough for Joe Average understand why its desirable to have one let alone how to configure one effectivly to protect them on the internet.

        I know

    • Part of the problem with software firewalls are that if the user has a problem wherein they let a spambot or other virus into their machine, that program could have the ability to disable a software firewall as well.

      If it's a hardware firewall, it makes it much more challenging for a hacker-program to be able to disable it to "get out".
    • by erice (13380) on Wednesday July 21, 2004 @01:33AM (#9756996) Homepage
      The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

      No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.
      • The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

        Not if the system is set up properly. For example, under Mac OS X the user does not have root privileges by default. Instead the user needs to authenticate himself every time he performs any changes to the root system or anything else outside of his own user account for that matter. This makes it very difficult and much less likely that a virus could get root privileges.

        So,

      • Well yes and no.

        A 'software' firewall residing on the PC in question does have several merits.
        It can check which software is trying to open the connection and filter on application instead of filtering on port and/or adress alone.
        It's also simpler to implement since it's just a piece of software to load.

        But it also requires the user to accept or reject applications requesting access (and knowing users, they will just click accept all the time).
        It is also possible for malware to trick or disable it.
    • *trying not to feed the troll*

      The problem is not just to monitor the traffic, but to apply uncircumventable precautions against unallowed behaviour. For a similar, yet a lot tougher solution, my cable provider blocks a port(port 80 right now) at the Cable Broadband Router level(the other side of my connection) and similarly, a DSL provider could do the same at the DSLAM level. That most providers don't do this is that

      1) it increases the per-user cpu cost at the edge of their network
      2) it increases the s
  • Not just for spam! (Score:2, Insightful)

    by cloudkj (685320)
    Works for virii and worms as well! When the router detects abnormal amounts of outbound traffic, it can either cap it, block it, or alert the user. This would work wonders!
    • The problem is that unlike traditional NAT'ing firewalls where everything not part of an existing TCP/IP conversation can be thrown to the bit bucket there is no such simple rule for a reverse firewall. So you get into heuristics and signatures, which have to be constantly updated and which give a LOT more false positives than a simple NAT box, ask anyone who has worked with intrusion detection systems. Not only that but since updates have to be done constantly to screen for new threats there is an ongoing
    • by DAldredge (2353)
      For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...
  • So long as I can edit firewall settings I would
    support mandatory default reverse firewalls for
    any equipment that so much as touches IP.
  • by jrockway (229604) * <jon-nospam@jrock.us> on Wednesday July 21, 2004 @01:15AM (#9756879) Homepage Journal
    Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?

    This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.
    • by dhakbar (783117) on Wednesday July 21, 2004 @01:18AM (#9756903)
      Force?

      You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?
      • by Anonymous Coward

        Did you actually read anything?

        He says reverse firewalls should be embedded in every cable modem and wireless access point for home users.

        He certainly does think it would be a good idea to require a reverse firewall before connecting to the internet.

        Idea becomes discussion ... discussion becomes policy ... policy becomes law. And Dhakbar says "Why, O!, why did this happen?"

    • by Capt'n Hector (650760) on Wednesday July 21, 2004 @01:33AM (#9756997)
      Put away that tin foil hat. Would you say the same thing about normal firewalls? After all, normal firewalls don't allow traffic from Bittorrent, most online games, etc etc etc without configuration. So.... "Who will control what defines an attack?" The answer is, as always, you.
    • by hoferbr (707935) <fabiomNO@SPAMgmail.com> on Wednesday July 21, 2004 @02:05AM (#9757142)
      IMHO, I think you're missing the point. The article states that the reverse-firewall would block traffic from specific ports that used the computer as, quoting the article, "a group of "zombie" machines hijacked to distribute huge amounts of fraudulent e-mail or launch denial-of-service attacks without being traced directly."
      If you want access to a blocked port, i'm shure that you could easily open it. But this is not about "computer experts" or something like that, this reverse firewall aims the average computer user. They are the ones whose computers are beeing used as spam spreaders by someone else.
  • A better idea... (Score:5, Insightful)

    by SixDimensionalArray (604334) on Wednesday July 21, 2004 @01:16AM (#9756886)
    Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

    But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?
    • Boil the ocean [google.com], eh?
    • by KillerCow (213458) on Wednesday July 21, 2004 @02:07AM (#9757151)
      I have to agree with this. SMTP was designed when all of the machines involved were trusted. That isn't the case anymore. Since a design assumption has been fundamentally broken, it needs to be redesigned.

      We shouldn't be grafting band-aids and restricting the network model to fix a single broken protocol. SMTP is the problem. Fix it and leave everything else alone. You wouldn't propose mucking around with TCP because any other application layer protocol was broken.
    • Re:A better idea... (Score:5, Informative)

      by PetoskeyGuy (648788) on Wednesday July 21, 2004 @02:18AM (#9757197)
      Enhanced SMTP better known as ESMTP is not hypothetical. It's out there, it works, mail clients know about it. It's optional and most ISP's I've used don't have strong authentication. They could, but choose not to. Search Google for Ehanced SMTP or you'll find an ESMTP mail server.

      It seems your proposing the same argument the article does. Basically security needs to be enabled by default. The internet is no longer a place where you can trust. They are suggesting a hardware fix, your suggesting software.

      Either way it will most likely require some pretty big players like AOL or Microsoft to implement it before it would achieve critical mass. Designing a different way of doing things isn't hard, it's getting everyone else to agree to it and use it.

      AOL started implementing SPF to stop spam. If AOL/MSN/Yahoo all decide to stop accepting mail that doesn't come form SPF using sites, adoption should happen in about a fortnight.
    • Re:A better idea... (Score:3, Interesting)

      by CAIMLAS (41445)
      The problem with something like this is that it would likely either be an everyone-or-nobody change to the new system, or we'd have a scenario like the Windows API, where old code and functionality is left intact for legacy purposes (which, in effect, makes the new changes irrelevant, as the old exploitation methods are still viable).

      Not saying I disagree, just playing devil's advocate.
  • Off by default (Score:5, Interesting)

    by Kris_J (10111) * on Wednesday July 21, 2004 @01:16AM (#9756887) Journal
    Where my mother works, they're all allowed to have VPN access (I know this because I'm getting ADSL so she won't be dialling in directly anymore), but it's not on by default, you have to make a request to turn it on.

    Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.

    You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.

    • Re:Off by default (Score:5, Interesting)

      by ottothecow (600101) <ottothecow@gma[ ]com ['il.' in gap]> on Wednesday July 21, 2004 @01:36AM (#9757016) Homepage
      Yes

      He is right.

      ISP's should block port 25, that is a definate yes at this point in time. But, when a user wants port 25, they should be able to ask and recieve.

      Your average cable/DSL user is probobly still using their free yahoo or hotmail account to check email. Maybe they made an ISP account now that POP3/SMTP is offered, but they probobly have no need for an external mailserver.

      The next guy up--the one who wants the mailserver--is either someone who knows enough about the internet and can deal with the attacks on their system, or some corporate exec who is told that he needs to do this to check his email. They could have a little quiz about security and if you do well, you get port 25, if you dont do well you can either take a little online class or maybe just buy a NAT box (maybe with a reverse firewall).

    • It would also have an impact on my own personal email system. I have comcast as my ISP now, but I don't use comcast's email. I have a website, and through that I accept email. Because I have my own domain, I don't have to worry about changing my email ever again and everyone can get in touch with me. Fortunately my site comes with a decent spam blocker as well.

      And finally, I gain access to that email site via the mail program on my mac. I do this to integrate with my address book, which also integrate
      • I think the idea was that ISPs should not refuse to open ports to you unless they know for sure something fishy is going on (at which point their terms of service will likely be getting you kicked off.) The idea is to have it off by default to make normal home users less useful to spammers releasing spam-relay-virii. You should (as I read the grandparent's description) have the option of running your own home email server if you like. It'd be something to ask for when you get the service set up, or somethin
    • Re:Off by default (Score:3, Insightful)

      by benna (614220)
      I would be seriously pissed off if I could only use their SMTP server. Spam may be a problem but I'd rather have spam and an internet connection that I chose the way I use then to lose that freedom and spam. But then hey I'm just some wacko that values freedom over safty from terrorism.
    • No. Not just no, hell fucking no. I'm buying internet access from them, not port 80 web access. I should be able to send whatever data I want out at any time. If I'm reaking a law, then the government should come and deal with it. Otherwise the ISP is a carrier. I should definitely NOT have to call up my ISP and get permission to use a specific port. I should be able to just start the server and go.
      • Re:Off by default (Score:4, Interesting)

        by Ryan Amos (16972) on Wednesday July 21, 2004 @02:30AM (#9757240)
        The days of the ISP as a "carrier" are long gone. They were over pretty much as soon as broadband hit the market. ISPs these days handle such massive amounts of bandwidth with such ignorant users that they have somewhat of a responsibility to the rest of the internet (not to mention their bottom line) to make sure that bandwidth isn't being used for nefarious purposes by hackers or viruses which have taken over the computers of these ignorant users. 99% of users don't need to and will never run a mail server, DNS server, whatever from their cable modem. All leaving these ports open does is allow the spambots and botnets to spread unabated.

        The days of the free, trusted internet are gone. Look at it this way: any competent sysadmin runs a firewall on a box that blocks all incoming ports except those which the admin knows are in use. Doing the same with outgoing traffic is not a bad idea, especially considering that most people whose computers are sending these massive crapfloods have no idea what's going on. We've got to protect the internet from itself or it will render itself practically useless.
  • by cleverhandle (698917) on Wednesday July 21, 2004 @01:17AM (#9756891)

    I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?

    The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?

  • Great Idea! New technical concepts and products always excite me. We must keep one thing in mind however, hackers/crackers/spammers/whatever you want to call them are clever and very imaginative people. Single concepts and technologies will be overcome and bypassed. The security/spam fight needs to be a continuous and evolving process. One cannot simply rely on a single product or conceptual model to end malicious actions. When people start realizing that keeping computers secure is a process and NOT a
  • I, being the ubergeek that I am, already have a 14k^H^H^H^H "reverse-firewall".

    No hackers for me, no siree!
  • Reverse firewalls? (Score:5, Insightful)

    by afay (301708) on Wednesday July 21, 2004 @01:21AM (#9756923)
    First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.

    The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.

    It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.
  • by toupsie (88295) on Wednesday July 21, 2004 @01:25AM (#9756950) Homepage
    If you have got a Mac, there is a program called "Little Snitch [obdev.at]" that is an excellent reverse firewall. While I am not worried as much about my Mac becoming a part of a botnet, it is amazing to see how often my installed software packages want to "phone home". I have even caught third party web advertisers wanting to open ports outside of 80 and 443.

    A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.

    • Your software isn't necessarily "phoning home." It's probably trying to do something mundane, like print. In fact, if you do something stupid like block all network access, you'll kill your ability to print!

      As long as you make sure requests to "localhost" are allowed, you should be OK. :)

      Nathan
  • Just the thing to protect the computers of... Reverse Vampires
  • by rritterson (588983) * on Wednesday July 21, 2004 @01:28AM (#9756972)
    Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.

    All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.

    So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.

    He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.

    Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).

    Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit
    • Hear, hear!

      Outbound firewall is still firewall, not "reverse firewall" or "anti firewall" or ... It's firewall. Actually we should call inbound-only firewalls half-firewalls to distinguish from real firewalls.
    • by mdfst13 (664665) on Wednesday July 21, 2004 @02:41AM (#9757266)
      "He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop."

      They are generating the SMTP connections. Once a virus is on a computer, it can communicate out to its source via common ports, like http's port 80. It doesn't need to use a blockable port (although ports like the NetBIOS port should be blocked to avoid trojans). Anti-virus is a client side solution, and clearly, relying on clients does not work. Plus, there is a lag time between a virus being introduced and the AV software catching it.

      I'm not sure that the cable modem is the place to make these blocks either. I would think that they could be more sensibly made at the network router/switch.
  • I undrestand... (Score:3, Insightful)

    by altaic (559466) on Wednesday July 21, 2004 @01:30AM (#9756976)
    that spam is a difficult problem to solve, but that is the most idiotic idea I think I've ever encountered. That's like making it difficult to do encryption to prevent terrorists from communicating safely. Granted, "normal" people's computers are a vessel for spammers, but it's asinine to limit normal people's hardware. Why not fix the problem at the source and work on making consumer's computers secure? The day I find out my DSL modem is blocking ports or something like that is the day I wreck the thing while trying to fix it. I mean, really.
  • Just Put a Condom on it.
  • While it is true that the reverse firewall will stop too much traffic from a "home" computer, there are some aspects of this which raise interesting questions: 1. How much is "too much" ? How is this decided? 2. What abt proxies to circumvent this? 3. The majority of spam, generated is probably not from a home computer. 4. Modern firewalls can be configured for outbound filtering as well. How radically will the propsed scheme be different from this? Correct me if i am wrong in any of the assumptions above.
  • floods of e-mail (Score:2, Interesting)

    by weenis (656512)
    speaking of "floods of e-mail," one of the most entertaining things is to take my original copy of win2k without any service packs,
    do a fresh install,
    plug in without any firewall,
    and watch how fast the damn thing tries to send out mass mailings :-)
  • by Uhlek (71945)
    ip access-list extended EGRESS_FILTER
    permit tcp any eq smtp
    deny tcp any any eq smtp
    permit ip any any
    interface
    access-group EGRESS_FILTER out

    Fixed!
    • Stupid HTML

      ip access-list extended EGRESS_FILTER
      permit tcp any [smtp svr ip addr] eq smtp
      deny tcp any any eq smtp
      permit ip any any
      interface [whatever]
      access-group EGRESS_FILTER out

      Fixed!
    • permit tcp any eq smtp
      deny tcp any any eq smtp


      Is this a registery hack?

      Where do you set that up on my WIN XP box. I don't see any button marked permit and deny.

      Just kidding. I know it's not for Windows. However most of the compromised zombies are Win boxes. They are the ones needing the limit.
  • by Artega VH (739847) on Wednesday July 21, 2004 @01:46AM (#9757069) Journal
    This would limit the rate of outgoing emails (or presumably anything else) to a limit that most people wouldn't hit in normal use. If implemented this limit would be configurable in the "firewall" so that users who know what they are doing can alter it.

    It is different to software "reverse firewalls" such as Zonealarm as it couldn't easily be turned off by viruses and the like. But on the other hand it lets anything through once.

    It would be beneficial to prevent the massing hordes of clueless broadband users from being juicy targets to the spammmer - since each zombie could only send out a pathetically tiny number per hour.
  • by blazen1 (583950)
    However, the security model in 802.11 may not be enough to prevent an attacker to get access to the intranet.

    you're kidding..
  • Obviously this is a practical concept, but I'm hesitant. I personally feel that spam blocking is the burden of the receiver, just by the nature of the email protocol. I hate obtrusive advertising as much as the next guy, but I do recognize it as a form of speech. And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.

    I recognize that spam is an inconviniece for end recipients, and a serious waste of resources for networks. Regardless, i feel that a rever
    • I personally feel that spam blocking is the burden of the receiver, just by the nature of the email protocol.

      All well and good, until /. runs another story about SPEWS blocking yet another idiot site who decided to save money by hosting at a spamhaus. THEN nobody has the right to BLOCK spam either, so they can get their email from BBR.

      And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.

      Then you have no idea what the 1st amendment is all about.
  • by syousef (465911) on Wednesday July 21, 2004 @02:53AM (#9757301) Journal
    I use zonealarm. Most of the time its a nice sane product, and the price can't be beaten.That gives me an alert every time a new piece of software tries to access the net, for both outgoing and incoming connections. I then get to choose whether to always allow the program to make the connection, or just allow that particular instance.

    Only problem is its impractical to disallow common programs from connecting for themselves. So a trojan infecting one of these would make this feature useless. Perhaps what we need is an "allow x number of connections per y time" feature. That would stop floods and DDOS attacks at least.
    • If a trojan infects an application, then ZoneAlarm notes that the MD5 hash has changed and it asks you again if you want to allow that application access. If you haven't done anything to change it, then block access and investigate.
  • ZoneAlarmPro (Score:3, Insightful)

    by v1x (528604) on Wednesday July 21, 2004 @02:58AM (#9757316) Homepage
    ZoneAlarmPro is best known for its ability to block to control outgoing traffic. However, lesser known is its ability to control outgoing email, by specifying which applications can send email, along with how many emails are sent at once before an alarm is raised about possible virus/worm, and the offending application is frozen by ZoneAlarm until the user intervenes & allows it permission to do so. So, the functionality of the reverse firewall to reduce spam that the author is asking for is already available.
  • by mcco7614 (266304) on Wednesday July 21, 2004 @03:54AM (#9757485)
    I just think it's funny that VeriSign's "chief scientist" said we should use "reverse firewalls" ... I'll foil his plans by installing a reverse router with dual reverse Ethernet switches between my hosts and my cable modem. And I'll connect it all using my reverse CAT6 cables. This way, by the time a packet arrives at the reverse firewall it will already have been reversed...in which case...uhhh...it will be re-reversed and forwarded normally. Yup.

    I'm gonna go to reverse sleep now.
  • Dangerous twaddle (Score:5, Insightful)

    by cardpuncher (713057) on Wednesday July 21, 2004 @04:06AM (#9757532)
    Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.

    If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.

    Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.
    • Re:Dangerous twaddle (Score:4, Informative)

      by mks113 (208282) <mks@@@kijabe...org> on Wednesday July 21, 2004 @08:36AM (#9758521) Homepage Journal
      Yep, it is getting more widespread too.

      I've run a redhat/dsl box in my basement for four years. Until 6 months ago I had real internet access. Then they blocked outgoing SMTP. I'm running several mailing lists -- High school alumni with about 60 or so people per list. One in particular can get quite active. I also send out newsletters regarding an upcoming event to 100 people or so.

      Reworking exim to use the ISP's SMTP server wasn't a problem, until they actually started counting outgoing emails and disabled my account for a day due to >300 emails/hour.

      I figured it was time to move from my "grey" basement server to a commercial host. I was amazed at the price for what I wanted -- $8/month or less! I signed up and had things working in a few hours.

      It took a few days before problems really started to appear. Lots of people didn't appear to be getting email from the lists. More research showed that, in fact, although they advertised mailman lists, they still limited outgoing emails to ~60/hour or less.

      Two months later, I'm still with them. Looking around I've found that just about everyone puts those same anti-spam limits on ougoing email. Not having limits labels a provider as being "spam friendly", and I am the one suffering. The best I could find without limits was $35/month, which is steeper than I would like.

      "We have met the enemy, and he is us!"

      Michael
  • Just to be pedantic (Score:5, Informative)

    by fishbot (301821) on Wednesday July 21, 2004 @04:13AM (#9757561) Homepage
    but a firewall is a piece of software which allows or denies packets based on their properties; it cares not in which direction they are flowing.

    A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.
    • Mod parent up!

      I thought this exact same thing also... I have no experiences with commercial firewalling software but have used ipchains/iptables within Linux also.

      ipchains/iptables simply treat each packet as one of three types:

      1. Incoming (from a specific network interface)

      2. Outgoing (to a specific network interface)

      3. Forwarding (incoming from one network interface and outgoing to another = "routing")

      The way you build rules for each packet type is identical so you never have the concept of ju

  • New??? (Score:5, Interesting)

    by really? (199452) on Wednesday July 21, 2004 @04:28AM (#9757633)
    Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.
  • by atcurtis (191512) on Wednesday July 21, 2004 @07:14AM (#9758125) Homepage Journal

    I set up a firewall at a medium-sized company and the only machine which was allowed to connect to some remote machine on port 25 was the mail server. In a similar vein, the transparent proxy was deliberately set up to break LookOut Express HotMail over HTTP.

    Simple things like that, default to deny for both inbound and outbound, virus checking on the mail server: they all greatly reduce the risk of these Windows plagues.

    And I thought it was all pretty much standard practice.

    I personally think that individuals should take more responsibility for their equipment. It's not really the ISP's business to put in firewalls - perhaps if the users were to pay for the additional service, then the ISP can provide... The individual can always put in a firewall themselves which would only allow port 25 connection to their ISP's mailserver.

    Perhaps - a "manditory" additional fee for a firewall for those who do not have an operational firewall?

    Just thinking aloud....

  • by Ed Avis (5917) <ed@membled.com> on Wednesday July 21, 2004 @07:43AM (#9758218) Homepage
    Obviously, if the firewall rather than the PC becomes the main point allowing or denying access to the network then attackers will concentrate on the firewall instead. Lots of consumer-level firewalls are likely to have 'easy-to-use' features which can be exploited. Probably even a firewall control panel accessed from Windows, so all you need to do is crack the PC and wait for the user to enter the firewall password once.

    Arguing that we should use reverse firewalls to stop exploited PCs sending out traffic to the network is an admission that expecting security on the PC itself is doomed and we should rely on something, anything else - that doesn't run Windows. I think it would be better to attack the real problem and try to make the typical PC as hard to crack as the typical consumer firewall. For those stuck with insecure systems (or systems which make it very hard for a naive user to keep his PC secure) a reverse firewall might be a useful sticking plaster.
  • Yeah right... (Score:3, Insightful)

    by Anita Coney (648748) on Wednesday July 21, 2004 @07:45AM (#9758227) Homepage
    And the cable companies would NEVER use it to shut down things they don't like, e.g., online gaming servers, p2p programs, etc.

  • This is nothing new (Score:3, Interesting)

    by jbarr (2233) on Wednesday July 21, 2004 @08:29AM (#9758467) Homepage
    I've been using Zone Alarm to do this for years. And as I recall, Windows XP SP2 will include a bi-directional firewall. While it would be nice to have this implemented into a set-it-and-forget-it hardware solution, apps like Zone Alarm are are free and quite effective.

    Further, any effective hardware implementation will have to keep logs or send alerts because personally, I want to know what's being prevented from going out.

  • by ThatDamnMurphyGuy (109869) on Wednesday July 21, 2004 @09:10AM (#9758750) Homepage
    "Reverse" firewall huh. That sounds a lot like Egress filtering to me. Don't all real firewalls do that?

    I wouldn't trust stateful packet inspection on my "modem" as far as I could throw it. The firewall built into my old (not-so)Efficient 5861 DSL router was horrible. It had no statefuly packet inspection, so you were letting in packets on ports outside the realm of established connections. The firewall built into my Cayman 3546 is smarter, but not very configurable at all. It's either on or off and I could map some ports, but it's not nearly as configurable as others.

    The only thing I trust is my PF/IPF firewalls in place around the crappy DSL modem firewalls.
  • by pclminion (145572) on Wednesday July 21, 2004 @12:18PM (#9760449)
    In other words, this guy wants to force us to install egress firewalls on our home networks in the name of "stopping spam?" Can anybody else see how terrible this idea is?

    With a firewall in the cable modem itself, the cable company will be able to remotely configure it, and conceivably stop any kind of traffic they want to stop. Don't want you using P2P applications? Just firewall those ports! It's not like you "own" the cable modem anyway (most people just lease one). And even if you do own, they can just write a clause into the contract giving them rights to remotely configure it.

    Before you know it, cable modems without such firewalls will be banned from the network.

    Sorry, I'm not installing any piece of hardware that I don't own, is under direct control of the cable company, and can be used to filter my outgoing traffic. Not in a fucking million years. And definitely not in the name of "stopping spam."

    "Stop spam" has become the cyber equivalent of "Save the children." It seems we're willing to throw away far too much in return for too little benefit.

"Just Say No." - Nancy Reagan "No." - Ronald Reagan

Working...