John Andersen said the following on 04/30/2013 02:44 PM:
On 4/30/2013 11:22 AM, Anton Aylward wrote:
No, I'm not talking about servers, I mean things like web browsers and email clients. It doesn't even have to be drive0bys or getting the user to click on the url of a html-mail message. To do nifty things people download extensions and plugins. They don't even have to be trojans. Recall the bugs in adobe reader that would let a specially crafted document exploit the vulnerability? Well now firefox has its own built in pdf reader :-) Wanna bet that is "bug free"?
The problems you mention won't be fixed by a firewall.
YES! RIGHT! That's my point
Virtually all malware these days use outbound connections,
YES! RIGHT! That's my point
and unless you do mercenary egress filtering (not piratical in the real world) your firewall will happily allow outbound connections from just about anything on just about any port to just about any target IP.
Which is the case with most "home firewalls" (think Windows?) and, I'm sorry to say, all to many corporate firewalls. Even those that have DLP. A tool that stops outsiders sending restricted documents out over the Internet is fine, but there are whole pile of things that aren't in that class witch are still .... nasty.
I egress filter a few common ports at the firewall (smtp and a couple others), against the possibility that some visitor to my network will have a spambot on their horribly compromised windows machine.
And it may also be the case that in order to prevent the propogation of spam and other nasty stuff, your ISP blocks you (and its other customers) from sending to port 25 of any machine except its own mail relay. The it can enforce some kind of control, perhaps rate limiting, perhaps content inspection (as some governments are now getting more aggressive about demanding of ISPs) but certainly stopping you using some other 'open relay' host. OK so there are ways round that to, but ... Better to do something ... -- "How well we communicate is determined not by how well we say things but by how well we are understood." -- Andrew S. Grove. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org