pf vs. RST attack question
Giorgos Keramidas
keramida at ceid.upatras.gr
Mon Oct 6 11:36:49 UTC 2008
On Mon, 6 Oct 2008 02:07:04 -0700, Jeremy Chadwick <koitsu at freebsd.org> wrote:
>>> This is incredibly draconian. :-) I was trying my best to remain
>>> realistic.
>>
>> It's no such thing. This is the recommended standard practice when
>> designing firewalls: always start from the premise that all traffic
>> will be dropped by default and add specific exceptions to allow the
>> traffic you want. [...]
>
> What I mean by 'draconian': "block drop all" includes both incoming
> *and* outgoing traffic.
>
> I have absolutely no qualms with "block in all", but "block out all"
> is too unrealistic, depending greatly on what the purpose of the
> machine is. Any outbound sockets are going to be allocated
> dynamically (e.g. non-static port number), so there's no effective
> way to add pass rules for outbound traffic. Using uid/gid is not
> sufficient.
>
> I often advocate using "block in all", "pass out all", and then adding
> specific "pass" rules for incoming traffic (e.g. an Internet request
> wishing to speak to BIND on port 53, Apache on 80/443, etc.).
Ah! :)
I was a bit confused in my last post then. I thought you were talking
about `block in all' too.
> Good discussion! (And I hope the OP is learning something :-) )
:-)
More information about the freebsd-questions
mailing list