For better security: always "block all" or "block in all" is
enough?
Greg Hennessy
Greg.Hennessy at nviz.net
Wed Jul 28 19:50:53 UTC 2010
> What disadvantages does it have in term of security in comparison with
> "block all"? In other words, how bad it is to have all outgoing ports always
> opened and whether someone can use this to hack the sysem?
>
It's the principle of 'least privilege'. Explicitly allow what is permitted, deny everything else.
It should also be
block log all
A default block policy without logging has a certain ass biting inevitability to it.
Greg
More information about the freebsd-pf
mailing list