From owner-freebsd-pf@FreeBSD.ORG Thu Jul 29 02:52:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FAA6106566C for ; Thu, 29 Jul 2010 02:52:58 +0000 (UTC) (envelope-from allicient3141@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id E9ADF8FC2E for ; Thu, 29 Jul 2010 02:52:57 +0000 (UTC) Received: by bwz12 with SMTP id 12so64066bwz.13 for ; Wed, 28 Jul 2010 19:52:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=bdoA1Urqt0c4+psKj4jDtEXWkWB/9W3x6u5Q0VhgI9g=; b=xoINvncgM1Ql8m6bu25TF0u1vvF4Ye0TaF7Cho2FORIp2x7AVz7kVylFOQJ4IjJLqd sbfIThrFOMJBbPcXInx6i4DfHyc04jkjAIT3JgicdsOK9jiZmnkxDLaS2ppwDXQJzm1S I7VQf0O0nd7KllXilBHaagDUNYPv4SIZ3Bsuw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=B3buTozDBdS5l9KjUaGagJ+TIwgsi7JyqL8BWRa3MfD6QuLxlpJJNy9fMou2FUkKGv 7ge2Fkwd67+Z42uqXZn0h0MLJbMUdMpJwrHCgu2Et20vBQxIB6/JfNlYiHulirAkb5yx wkqnqmoCW61PQEfUniQg/XET1OSUji6jYQgTM= MIME-Version: 1.0 Received: by 10.204.67.147 with SMTP id r19mr7927887bki.176.1280371972753; Wed, 28 Jul 2010 19:52:52 -0700 (PDT) Sender: allicient3141@gmail.com Received: by 10.204.112.208 with HTTP; Wed, 28 Jul 2010 19:52:52 -0700 (PDT) In-Reply-To: <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> Date: Thu, 29 Jul 2010 03:52:52 +0100 X-Google-Sender-Auth: caAbc7hVtBrswdLP6JL3vvl2yIg Message-ID: From: Peter Maxwell To: Greg Hennessy Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Spenst, Aleksej" , "freebsd-pf@freebsd.org" Subject: Re: For better security: always "block all" or "block in all" is enough? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 02:52:58 -0000 On 28 July 2010 20:39, Greg Hennessy wrote: > > > What disadvantages does it have in term of security in comparison with > > "block all"? In other words, how bad it is to have all outgoing ports > always > > opened and whether someone can use this to hack the sysem? > > > > It's the principle of 'least privilege'. Explicitly allow what is > permitted, deny everything else. > > It should also be > > block log all > > A default block policy without logging has a certain ass biting > inevitability to it. > > However not as much "ass biting" potential as with logging on. Ask anyone who has done commercial firewall work and they'll tell you not to enable logging on the default deny/drop rule unless you are debugging/testing - think denial of service.