Simple: If your firewall is like mine then only packets going out to port 25, port 80, etc are allowed, thus a trojan is less likely to be able to connect out (since they use ports like 31337 and so on). Plus since my firewall runs application level proxies for www/ftp, email, etc about the only protocol I allow my internal machines to do outbound is 22 (ssh), which makes keeping tabs on what is going on very easy.
Could you please explain closer? How does this refer to my question? How could I block trojan-client (me) -> trojan server (the attacker) using ip_local_port_range? Is this /proc filesystem feature protocol aware?
BB-Zone Definition: ip_local_port_range Range of ports used by TCP and UDP to choose the local port. Contains two numbers, the first number is the lowest port, the second number the highest local port. Default is 1024-4999. Should be changed to 32768-61000 for high-usage systems.
It seems to me by using this feature I only define what ports have to be used locally for connecting to servers. But there are always a number of trojans in every port range. How could I prevent these by using a none-stateful firewall? Is there a way?
Philipp