From owner-freebsd-pf@FreeBSD.ORG Wed Jul 28 20:31:54 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B860106566B for ; Wed, 28 Jul 2010 20:31:54 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id E308B8FC1F for ; Wed, 28 Jul 2010 20:31:53 +0000 (UTC) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 9751850; Wed, 28 Jul 2010 15:31:53 -0400 Received: from [192.168.43.221] (account jon@radel.com HELO braeburn.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 9751848 for freebsd-pf@freebsd.org; Wed, 28 Jul 2010 15:31:45 -0400 Message-ID: <4C5085A1.6070905@radel.com> Date: Wed, 28 Jul 2010 15:31:45 -0400 From: Jon Radel User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> In-Reply-To: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms000908020603000906060608" X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: For better security: always "block all" or "block in all" is enough? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2010 20:31:54 -0000 This is a cryptographically signed message in MIME format. --------------ms000908020603000906060608 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable On 7/28/10 2:55 PM, Spenst, Aleksej wrote: > Hi All, > > I have to provide for my system better security and I guess it would be= better to start pf.conf with the "block all" rule opening afterwards onl= y those incoming and outcoming ports that are supposed to be used by the = system on external interfaces. However, it would be easier for me to writ= e all pf rules if I start pf.conf with "block in all", i.e. if I block on= ly traffic coming in from the outside and open all ports for outgoing tra= ffic. > > - Incoming ports: only udp/68 (for dhcp client) and http/80 (for http s= erver) always open; > - Outgoing ports: all ports always opened. All traffic going outside fr= om the system has "keep state"; > > What disadvantages does it have in term of security in comparison with = "block all"? In other words, how bad it is to have all outgoing ports alw= ays opened and whether someone can use this to hack the sysem? > > Thanks a lot for any tips!! > Aleksej. > > =20 The only real answer is: It depends. :-) One example of outbound blocking that some find useful: Block all=20 outbound traffic to port 25 that comes from any machine other than=20 authorized e-mail servers. On one network I deal in, this makes sense,=20 as the various Windows workstations have no business sending mail to=20 anything other than the internal mail servers, and if they try there's a = good chance it's a trojan of some sort doing the sending. Obviously,=20 there are other networks where this would make no sense. In a general sort of way, allowing outbound traffic doesn't expose you=20 to attacks, but it makes your machine more valuable to an attacker who=20 does succeed. For example, if you allow outbound ssh and telnet, etc.,=20 etc., it makes it easier to use your machine to stage attacks on other=20 machines. On the other hand, if the firewall is on the server in=20 question, rather than being another piece of equipment, anybody who has=20 root can rearrange your firewall for you.... --=20 --Jon Radel jon@radel.com --------------ms000908020603000906060608--