From owner-freebsd-pf@FreeBSD.ORG Thu Jul 29 11:17:51 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 704C81065670 for ; Thu, 29 Jul 2010 11:17:51 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id 0715B8FC0C for ; Thu, 29 Jul 2010 11:17:50 +0000 (UTC) Received: from pemexhub02.jellyfishnet.co.uk.local (93.91.20.2) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Thu, 29 Jul 2010 12:17:51 +0100 Received: from PEMEXMBXVS02.jellyfishnet.co.uk.local ([192.168.65.37]) by pemexhub02.jellyfishnet.co.uk.local ([192.168.65.8]) with mapi; Thu, 29 Jul 2010 12:17:49 +0100 From: Greg Hennessy To: Peter Maxwell Date: Thu, 29 Jul 2010 12:17:49 +0100 Thread-Topic: For better security: always "block all" or "block in all" is enough? Thread-Index: AcsuySpKmRaAcQCoQ3O2ifQc77mY8wAQ8VSp Message-ID: <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local>, In-Reply-To: Accept-Language: en-US, en-GB Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "Spenst, Aleksej" , "freebsd-pf@freebsd.org" Subject: RE: For better security: always "block all" or "block in all" is enough? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 11:17:51 -0000 "Ask anyone who has done commercial firewall work...." Yes Peter, of course Peter =20 Meanwhile in the real world.... There are Governance, Risk, and Compliance reasons for logging all attempts= to bypass security policy by hitting the default deny rule. =20 These reasons are both de-facto and de-jure obligatory.=20 The Operational and Reputational risks of driving security control points b= lind, far outweigh the tiny residual risk of a putative DoS attack against = a firewall policy with default block logging enabled.=20 Having made PF on FreeBSD bleed in the past through various nefarious testi= ng methods, I can't say that taking the firewall offline through resource e= xhaustion (CPU, Storage, Network) caused by logging was ever a primary caus= e of a test failing.=20 Kind regards Greg From: allicient3141@gmail.com [allicient3141@gmail.com] On Behalf Of Peter = Maxwell [peter@allicient.co.uk] Sent: 29 July 2010 03:52 To: Greg Hennessy Cc: Spenst, Aleksej; freebsd-pf@freebsd.org Subject: Re: For better security: always "block all" or "block in all" is e= nough? On 28 July 2010 20:39, Greg Hennessy wrote: > What disadvantages does it have in term of security in comparison with > "block all"? In other words, how bad it is to have all outgoing ports alw= ays > opened and whether someone can use this to hack the sysem? > It's the principle of 'least privilege'. Explicitly allow what is permitte= d, deny everything else. It should also be block log all A default block policy without logging has a certain ass biting inevitabili= ty to it. However not as much "ass biting" potential as with logging on. Ask anyone = who has done commercial firewall work and they'll tell you not to enable lo= gging on the default deny/drop rule unless you are debugging/testing - thin= k denial of service.=