From owner-freebsd-questions@FreeBSD.ORG Mon Oct 6 11:36:49 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FC991065689 for ; Mon, 6 Oct 2008 11:36:49 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.freebsd.org (Postfix) with ESMTP id DFA338FC1D for ; Mon, 6 Oct 2008 11:36:48 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from kobe.laptop (adsl57-177.kln.forthnet.gr [77.49.184.177]) (authenticated bits=128) by igloo.linux.gr (8.14.3/8.14.3/Debian-5) with ESMTP id m96BaQ4F032326 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 6 Oct 2008 14:36:32 +0300 Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.14.3/8.14.3) with ESMTP id m96BaQKd003294; Mon, 6 Oct 2008 14:36:26 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.14.3/8.14.3/Submit) id m96BaQNh003293; Mon, 6 Oct 2008 14:36:26 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) From: Giorgos Keramidas To: Jeremy Chadwick References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> <48E9CDA6.80508@infracaninophile.co.uk> <20081006090704.GB13975@icarus.home.lan> Date: Mon, 06 Oct 2008 14:36:26 +0300 In-Reply-To: <20081006090704.GB13975@icarus.home.lan> (Jeremy Chadwick's message of "Mon, 6 Oct 2008 02:07:04 -0700") Message-ID: <87wsgmhs5h.fsf@kobe.laptop> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-MailScanner-ID: m96BaQ4F032326 X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.858, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.54, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: Scott Bennett , freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 11:36:49 -0000 On Mon, 6 Oct 2008 02:07:04 -0700, Jeremy Chadwick wrote: >>> This is incredibly draconian. :-) I was trying my best to remain >>> realistic. >> >> It's no such thing. This is the recommended standard practice when >> designing firewalls: always start from the premise that all traffic >> will be dropped by default and add specific exceptions to allow the >> traffic you want. [...] > > What I mean by 'draconian': "block drop all" includes both incoming > *and* outgoing traffic. > > I have absolutely no qualms with "block in all", but "block out all" > is too unrealistic, depending greatly on what the purpose of the > machine is. Any outbound sockets are going to be allocated > dynamically (e.g. non-static port number), so there's no effective > way to add pass rules for outbound traffic. Using uid/gid is not > sufficient. > > I often advocate using "block in all", "pass out all", and then adding > specific "pass" rules for incoming traffic (e.g. an Internet request > wishing to speak to BIND on port 53, Apache on 80/443, etc.). Ah! :) I was a bit confused in my last post then. I thought you were talking about `block in all' too. > Good discussion! (And I hope the OP is learning something :-) ) :-)