From owner-freebsd-pf@FreeBSD.ORG Wed Jul 28 19:29:40 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AA96106566B for ; Wed, 28 Jul 2010 19:29:40 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 38EDD8FC0A for ; Wed, 28 Jul 2010 19:29:39 +0000 (UTC) Received: by qwk3 with SMTP id 3so1311422qwk.13 for ; Wed, 28 Jul 2010 12:29:39 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.37.19 with SMTP id v19mr9227081qad.65.1280345378860; Wed, 28 Jul 2010 12:29:38 -0700 (PDT) Received: by 10.229.230.14 with HTTP; Wed, 28 Jul 2010 12:29:38 -0700 (PDT) In-Reply-To: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> Date: Wed, 28 Jul 2010 15:29:38 -0400 Message-ID: From: Michael Proto To: "Spenst, Aleksej" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: For better security: always "block all" or "block in all" is enough? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2010 19:29:40 -0000 On Wed, Jul 28, 2010 at 2:55 PM, Spenst, Aleksej wrote: > Hi All, > > I have to provide for my system better security and I guess it would be b= etter to start pf.conf with the "block all" rule opening afterwards only th= ose incoming and outcoming ports that are supposed to be used by the system= on external interfaces. However, it would be easier for me to write all pf= rules if I start pf.conf with "block in all", i.e. if I block only traffic= coming in from the outside and open all ports for outgoing traffic. > > - Incoming ports: only udp/68 (for dhcp client) and http/80 (for http ser= ver) always open; > - Outgoing ports: all ports always opened. All traffic going outside from= the system has "keep state"; > > What disadvantages does it have in term of security in comparison with "b= lock all"? In other words, how bad it is to have all outgoing ports always = opened and whether someone can use this to hack the sysem? > > Thanks a lot for any tips!! > Aleksej. > Outgoing ports aren't really used as an attack on that system, but as a jump-point to other systems. Say server A allows all outbound traffic. Server B, with sensitive data on it, blocks all inbound access from the Internet but does allow connections from the network where server A is located. Someone hacks server A, and now they have a route to attack server B they didn't have before. Ideally, limiting outgoing traffic to only intended hosts and/or ports is preferred from a security perspective, but you also have to frame it in the context of what the system will be doing. If you have a good knowledge of what the system needs for both inbound and outbound connectivity, it would probably be a good idea to restrict access both ways. I say probably because if the system's outbound traffic profile is intended to change, requiring changes to the firewall ruleset on a regular basis, it wouldn't make much sense. If you know there's outbound traffic you definitely don't need, blocking it isn't a bad idea. For a system with only public IP addresses, denying traffic to RFC1918 space is a good example. -Proto