From owner-freebsd-pf@FreeBSD.ORG Wed Jul 28 19:06:28 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4B151065679 for ; Wed, 28 Jul 2010 19:06:28 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og103.obsmtp.com (exprod6og103.obsmtp.com [64.18.1.185]) by mx1.freebsd.org (Postfix) with SMTP id 3AC858FC18 for ; Wed, 28 Jul 2010 19:06:27 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob103.postini.com ([64.18.5.12]) with SMTP ID DSNKTFB/s1TRBRu2ldLGIWzcOaVyWMmq5IOT@postini.com; Wed, 28 Jul 2010 12:06:28 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([172.16.1.216]) with mapi; Wed, 28 Jul 2010 20:55:32 +0200 From: "Spenst, Aleksej" To: "freebsd-pf@freebsd.org" Date: Wed, 28 Jul 2010 20:55:31 +0200 Thread-Topic: For better security: always "block all" or "block in all" is enough? Thread-Index: AcsuhnPxDAhf7j3xSK6TAzUseHLnBQ== Message-ID: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: For better security: always "block all" or "block in all" is enough? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2010 19:06:29 -0000 Hi All, I have to provide for my system better security and I guess it would be bet= ter to start pf.conf with the "block all" rule opening afterwards only thos= e incoming and outcoming ports that are supposed to be used by the system o= n external interfaces. However, it would be easier for me to write all pf r= ules if I start pf.conf with "block in all", i.e. if I block only traffic c= oming in from the outside and open all ports for outgoing traffic. - Incoming ports: only udp/68 (for dhcp client) and http/80 (for http serve= r) always open; - Outgoing ports: all ports always opened. All traffic going outside from t= he system has "keep state"; What disadvantages does it have in term of security in comparison with "blo= ck all"? In other words, how bad it is to have all outgoing ports always op= ened and whether someone can use this to hack the sysem? Thanks a lot for any tips!! Aleksej.