Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 06 Oct 2008 14:36:26 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Jeremy Chadwick <koitsu@freebsd.org>
Cc:        Scott Bennett <bennett@cs.niu.edu>, freebsd-questions@freebsd.org
Subject:   Re: pf vs. RST attack question
Message-ID:  <87wsgmhs5h.fsf@kobe.laptop>
In-Reply-To: <20081006090704.GB13975@icarus.home.lan> (Jeremy Chadwick's message of "Mon, 6 Oct 2008 02:07:04 -0700")
References:  <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> <48E9CDA6.80508@infracaninophile.co.uk> <20081006090704.GB13975@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 6 Oct 2008 02:07:04 -0700, Jeremy Chadwick <koitsu@freebsd.org> wrote:
>>> This is incredibly draconian.  :-)  I was trying my best to remain
>>> realistic.
>>
>> It's no such thing.  This is the recommended standard practice when
>> designing firewalls: always start from the premise that all traffic
>> will be dropped by default and add specific exceptions to allow the
>> traffic you want.  [...]
>
> What I mean by 'draconian': "block drop all" includes both incoming
> *and* outgoing traffic.
>
> I have absolutely no qualms with "block in all", but "block out all"
> is too unrealistic, depending greatly on what the purpose of the
> machine is.  Any outbound sockets are going to be allocated
> dynamically (e.g.  non-static port number), so there's no effective
> way to add pass rules for outbound traffic.  Using uid/gid is not
> sufficient.
>
> I often advocate using "block in all", "pass out all", and then adding
> specific "pass" rules for incoming traffic (e.g. an Internet request
> wishing to speak to BIND on port 53, Apache on 80/443, etc.).

Ah! :)

I was a bit confused in my last post then.  I thought you were talking
about `block in all' too.

> Good discussion!  (And I hope the OP is learning something :-) )

:-)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87wsgmhs5h.fsf>