From owner-freebsd-pf@FreeBSD.ORG Thu Jul 29 21:50:48 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 630531065677 for ; Thu, 29 Jul 2010 21:50:48 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail2.jellyfishnet.co.uk (mail2.jellyfishnet.co.uk [93.91.20.10]) by mx1.freebsd.org (Postfix) with ESMTP id B99DE8FC0A for ; Thu, 29 Jul 2010 21:50:45 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.2) by mail2.jellyfishnet.co.uk (93.91.20.10) with Microsoft SMTP Server (TLS) id 8.1.393.1; Thu, 29 Jul 2010 22:51:29 +0100 Received: from PEMEXMBXVS02.jellyfishnet.co.uk.local ([192.168.65.37]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Thu, 29 Jul 2010 22:50:44 +0100 From: Greg Hennessy To: Peter Maxwell Date: Thu, 29 Jul 2010 22:50:43 +0100 Thread-Topic: For better security: always "block all" or "block in all" is enough? Thread-Index: AcsvYmCrB+XLiUjyQCyHNKbo0xjiNAAAJrBQ Message-ID: <9E8D76EC267C9444AC737F649CBBAD902769C51F15@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> <9E8D76EC267C9444AC737F649CBBAD902767E3BF75@PEMEXMBXVS02.jellyfishnet.co.uk.local> <9E8D76EC267C9444AC737F649CBBAD902769C51EE9@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: RE: For better security: always "block all" or "block in all" is enough? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 21:50:48 -0000 VGVsbCB5b3Ugd2hhdCBQZXRlciwNCg0KSSBib3cgdG8geW91ciBvYnZpb3VzbHkgc3VwZXJpb3Ig a25vd2xlZGdlIG9uIHRoaXMgYW5kIGFsbCBvdGhlciBtYXR0ZXJzLg0KDQpIZWxsLCB3aGF0IGRv IEkga25vdywgaG93IGNvdWxkIEkgcG9zc2libHkgY29tcGV0ZSB3aXRoIHNvbWVvbmUgd2hvIGhh cyBzcGVudCBhIOKAmHNpZ25pZmljYW50IHByb3BvcnRpb27igJkgb2YgdGhlaXIgY2FyZWVyIHdv cmtpbmcgZm9yIOKAmG1ham9yIElTUOKAmSAoc2ljKS4NCg0KDQpSZWdhcmRzDQoNCkdyZWcNCg0K DQpPbiBhIHNpZGUgbm90ZToNClRoZSBkaW1lbnNpb25zIG9mIG15IHdpbGx5IChzbyB0byBzcGVh aykgYXJlIHJlYWRpbHkgZGV0ZXJtaW5lZCB0aHJvdWdoIGh0dHA6Ly93d3cuZ29vZ2xlLmNvLnVr Lw0KDQoNCg0KRnJvbTogYWxsaWNpZW50MzE0MUBnbWFpbC5jb20gW21haWx0bzphbGxpY2llbnQz MTQxQGdtYWlsLmNvbV0gT24gQmVoYWxmIE9mIFBldGVyIE1heHdlbGwNClNlbnQ6IDI5IEp1bHkg MjAxMCAxMDoxMCBQTQ0KVG86IEdyZWcgSGVubmVzc3kNCkNjOiBmcmVlYnNkLXBmQGZyZWVic2Qu b3JnDQpTdWJqZWN0OiBSZTogRm9yIGJldHRlciBzZWN1cml0eTogYWx3YXlzICJibG9jayBhbGwi IG9yICJibG9jayBpbiBhbGwiIGlzIGVub3VnaD8NCg0KDQpPbiAyOSBKdWx5IDIwMTAgMjA6MDgs IEdyZWcgSGVubmVzc3kgPEdyZWcuSGVubmVzc3lAbnZpei5uZXQ8bWFpbHRvOkdyZWcuSGVubmVz c3lAbnZpei5uZXQ+PiB3cm90ZToNCg0KDQo+IElmLCBhcyB5b3Ugc2F5LCB0aGVyZSBhcmUgIkdv dmVybmFuY2UsIFJpc2ssIGFuZCBDb21wbGlhbmNlIHJlYXNvbnMiLA0KPiBwZXJoYXBzIHlvdSdk IGxpa2UgdG8gc3BlY2lmeSBvbmUgb3IgdHdvIGZvciBlYWNoIGNhdGVnb3J5Pw0KU3RhcnQgd2l0 aCBhbiBJU01TIGRlcml2ZWQgZnJvbSAyN2ssIGFkZCBhIHNvdXBjb24gb2YgUENJIERTUyByZXF1 aXJlbWVudCAxMCwgQmFzZWwgSUksIHRocm93IGluIFNPWCA0MDQgb3IgYW4gU0FTIDcwIHR5cGUg SUkgYXVkaXQsIHlvdSBnZXQgdGhlIHBpY3R1cmUuDQoNCg0KQW4gSVNNUywgaXMgYSBjb21wYW55 IGRlZmluZWQgZG9jdW1lbnQgc28gd2lsbCBsaWtlbHkgaGF2ZSBkaWZmZXJlbnQgZW50cmllcyBv ciBldmVuIG5vbmUgYXQgYWxsIGZvciB0aGF0IG1hdHRlciBkZXBlbmRpbmcgb24gdGhlIGNvbXBh bnkuICBJbiBhIHByZXZpb3VzIGNvbXBhbnkgSSB3b3JrZWQgZm9yLCB5b3Ugd291bGQgaGF2ZSBq dXN0IHN1cHBvcnRlZCBteSBwb2ludC4NCg0KQW5kIG5pY2UgdHJ5LCB3aGF0IGRvY3VtZW50cyAm IHNlY3Rpb25zIGluIFBDSSBEU1MsIEJhc2VsIElJLCBhbmQgU09YIGFyZSB5b3UgcmVmZXJyaW5n IHRvPw0KDQoNCj4gTG9nZ2luZyBhIGRlZmF1bHQgZGVueSBvbiBhbiBpbnRlcm5hbCBmaXJld2Fs bCwgeWVzIC0gb2sgLSBJIGFncmVlIHdpdGggeW91LCB0aGF0J3MgcHJvYmFibHkgcmVhc29uYWJs ZS4NCk9ubHkgcHJvYmFibHk/IEhvdyBtdWNoICdjb21tZXJjaWFsJyBmaXJld2FsbCB3b3JrIGhh dmUgeW91IGRvbmUgYWdhaW4sIHNlcmlvdXNseSA/DQoNCkFnYWluPyAgSSBkaWRuJ3QgdGVsbCB5 b3UgdG8gYmVnaW4gd2l0aC4gIEFzIGl0IGhhcHBlbnMsIG1vcmUgdGhhbiB0ZW4geWVhcnMsIGEg c2lnbmlmaWNhbnQgcHJvcG9ydGlvbiBvZiB3aGljaCB3YXMgaW4gYSBtYWpvciBJU1AuICBTaW5j ZSB3ZSdyZSBwbGF5aW5nIHdobydzIHdpbGx5IGlzIGJpZ2dlciwgd2hhdCBhYm91dCB5b3Vyc2Vs Zj8NCg0KDQoNCj4gIEhvd2V2ZXIsIGxvZ2dpbmcgZXZlcnkgYmxvY2tlZCBwYWNrZXQgb24gYW4g aW50ZXJuZXQgZmFjaW5nIGZpcmV3YWxsIGlzIHBsYWluIGRhZnQuDQpTYXlpbmcgaXQgZG9lc27i gJl0IG1ha2UgaXQgc28uDQoNClRoZSBjb252ZXJzZSBhcHBsaWVzIHRvIHlvdXIgcG9zaXRpb24u DQoNCg0KDQo+IEV2ZW4gdGhlIHN0b3JhZ2UgcmVxdWlyZW1lbnRzIHdvdWxkIGJlIHNvbWV3aGF0 IG9uZXJvdXMsDQpTdG9yYWdlIGlzIGNoZWFwLiBEYW1hZ2UgdG8gcmVwdXRhdGlvbiBjYXVzZWQg YnkgYmVpbmcgaW4gYnJlYWNoIG9mIHJlZ3VsYXRvcnkgcmVxdWlyZW1lbnRzIHcuci50IGxvZyBy ZXRlbnRpb24gaXMgbm90Lg0KDQpOb3QgdGhhdCBjaGVhcC4gIEFuZCBhdCB0aGUgY3VycmVudCBw b2ludCBpbiB0aW1lLCBpbiB0aGUgVUsgYXQgbGVhc3QsIEkga25vdyBvZiBubyBzdGF0dXRvcnkg cmVxdWlyZW1lbnQgdG8ga2VlcCBzdWNoIGxvZ3MuDQoNCkknZCBhc2tlZCBiZWZvcmUgd2hhdCBz b3J0IG9mIGJhbmR3aWR0aCAmIGNvbm5lY3Rpb25zIHBlciBzZWNvbmQgdGhlIGZpcmV3YWxscyB5 b3UveW91J3ZlIHdvcmtlZCBvbiB0ZW5kIHRvIGhhbmRsZT8NCg0KDQoNCg0KPiBhbmQgdGhhdCdz IGJlZm9yZSB0cnlpbmcgdG8gcHJvY2VzcyB0aGUgZGF0YSBpbnRvIHNvbWV0aGluZyBtZWFuaW5n ZnVsLg0KPiBBbmQgYWxsIHRvIGNvbmZpcm0gdGhhdCB0aGVyZSdzIGEgbG90IG9mIG5vaXNlIGFu ZCBwb3J0IHNjYW5uaW5nIGdvaW5nIG9uLg0KT3IgaXQncyBwYXJ0IG9mIGEgbXVjaCBsYXJnZXIg cGljdHVyZSB3aGljaCBpcyBmZWQgaW50byBhbiBTSUVNIHN5c3RlbSBmb3IgZXZlbnQgY29ycmVs YXRpb24gYW5kIGNvbnNlcXVlbnQgYWxlcnRpbmcuDQoNClNvLCB5b3UncmUgYWxzbyBleHBvc2lu ZyBhIG5vZGUgaW4geW91IFNFTSB0byBhIHNoZWQgbG9hZCBvZiB1bm5lY2Vzc2FyeSBub2lzZS4N Cg0KDQoNCkZpcmV3YWxscyBhcmUgbm90IHRoZSBvbmx5IHNlY3VyaXR5IGNvbnRyb2wgcG9pbnRz DQoNCk5vcGUsIHRoZXkncmUgbm90LiAgVGhleSdyZSBhbHNvIGFyZSBhIGZhaXJseSBibHVudCBp bnN0cnVtZW50IGJ1dCBtdXN0IGJlIGV4dHJlbWVseSByZWxpYWJsZS4NCg0KDQoNCg0K