onlyonemac wrote:
bluemoon wrote:
Stateful or not, you need some layer 3 rules to prevent the machine doing random outgoing activity to non trusted peer, failing that means insecure. There is less point talking about security of insecure system.
In a traditional setup it's considered secure to have a system with no outgoing rules, sorry. Usually you want to block malicious traffic coming into a local server process, not blocking a local client from sending outgoing traffic. (This of course works on the assumption that all local clients are trustworthy and are not going to send malicious outgoing traffic - an assumption which, if you're not comfortable with, you're welcome to set up an outgoing firewall rule, except that the correct way to deal with local malicious software isn't with a firewall rule but with preventing the installation of/removing the malicious software in the first place.)
With all the reverse proxy and similar technique, there is not much technical difference with incoming and outgoing traffic
as a (malicious) server. When we take about security, yet there is no fully secured system as long as it's attached to internet, but one would push toward more secure affordable by the budget. For small company and home user, it's sufficient to have zero outgoing rule, but then you take the risk of running a trojan with reverse proxy over onion network.
Also note that practically you can't prevent installation of malicious software, the user is dumb enough to run email attachments, or the OS itself has more unpublished exploits than you would expected. While it's correct to examine the network and remove any malicious asap, there is no conflict to also have outgoing rules.
Last, I consider the hole punching things proposed by the OP is malicious, it is doing something not intended, and it happens to pass thru the firewall due to not having enough rules.
EDIT: IIRC, You can also limit the remote address for hole punching, so that when A punch a hole to the blackhole, B can't get in since he can't easily spoof with the black hole address without breaking into your ISP.