To solve facebook authorization connection on our server, we've decided to open all outgoing connection/ports in firewall to see if it's really security issue.
after allowing, the facebook connection worked.
however i don't have an idea if what are the risks if we fully implement these settings.
thank you!
Best Answer
I think the "common wisdom" behind locking down traffic egressing the network has always been something like "Bad people could send traffic out of your network in ways you don't want them to." Certainly, I've seen remote exploits foiled by aggressive firewalls preventing the exploit code from FTP'ing out to download its payload, etc. There's some value in limiting egress ports.
Having said that, though, anything can be tunneled over another protocol (arbitrary TCP over HTTP, SSH over DNS, IP over carrier pigeon, etc), so limiting egress ports to limit egress traffic has an air of a false sense of security about it. Unless you're doing layer 7 inspection of the egress traffic you can't really be sure that the thing making requests outbound on TCP port 80 really is an HTTP client. Even if it is an HTTP client, unless you're being very draconian about the layer 7 examination it may be an HTTP client that's tunneling arbitrary data over HTTP.
Limiting egress ports is a good idea, but don't be fooled into thinking that it's a major "security win". "Smart" software (malicioius or otherwise-- Skype is a good example of a program that handles filtered egress ports very well) will work around you.
As an aside, I'm not aware of Facebook needing anything other than HTTP and HTTPS.