For better security: always "block all" or "block in all" is
enough?
Peter Maxwell
peter at allicient.co.uk
Thu Jul 29 02:52:58 UTC 2010
On 28 July 2010 20:39, Greg Hennessy <Greg.Hennessy at nviz.net> wrote:
>
> > What disadvantages does it have in term of security in comparison with
> > "block all"? In other words, how bad it is to have all outgoing ports
> always
> > opened and whether someone can use this to hack the sysem?
> >
>
> It's the principle of 'least privilege'. Explicitly allow what is
> permitted, deny everything else.
>
> It should also be
>
> block log all
>
> A default block policy without logging has a certain ass biting
> inevitability to it.
>
>
However not as much "ass biting" potential as with logging on. Ask anyone
who has done commercial firewall work and they'll tell you not to enable
logging on the default deny/drop rule unless you are debugging/testing -
think denial of service.
More information about the freebsd-pf
mailing list