For better security: always "block all" or "block in all" is enough?

Greg Hennessy Greg.Hennessy at
Wed Jul 28 19:50:53 UTC 2010

> What disadvantages does it have in term of security in comparison with
> "block all"? In other words, how bad it is to have all outgoing ports always
> opened and whether someone can use this to hack the sysem?

It's the principle of 'least privilege'.  Explicitly allow what is permitted, deny everything else. 

It should also be 

	block log all

A default block policy without logging has a certain ass biting inevitability to it. 


More information about the freebsd-pf mailing list