CAcert System Admins discussion list

[Mario Lipinski <mario AT cacert.org>]

Am 07.07.2012 16:48, schrieb Jan Dittberner:
> On Sat, Jul 07, 2012 at 03:54:49PM -0700, Mario Lipinski wrote:
>> What do you think about allowing all outbound traffic for some or all
>> CAcert infrastructure hosts?
> 
> In my opinion outbound traffic is ok, maybe we should restrict it to
> some ports (http (80)/https (443)/git (9418)) though. We can ask
> sysadmins if they have other ports that might be useful too.

What is the gain in security by limiting the outbound traffic by ports?
OK, a root kit might not be able to be controlled e.g. via IRC. But some
malware may still be able to load code via HTTP. And also the mentioned
control channels could also work via port 80 these days?
If we want to maintain a port limitation, then we should add FTP (20, 21).

Mario

-- 
Mit freundlichen Grüßen / Best regards

Mario Lipinski
Infrastructure Team Leader,         E-Mail: 
mario AT cacert.org
Organisation Assurer (Germany),     Internet: http://www.cacert.org
Arbitrator / Case Manager
CAcert

Support CAcert: http://www.cacert.org/index.php?id=13
                http://wiki.cacert.org/wiki/HelpingCAcert

Attachment: smime.p7s
Description: S/MIME Kryptografische Unterschrift