From owner-freebsd-pf@FreeBSD.ORG  Wed Jul 28 19:50:53 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4865A106568F
	for <freebsd-pf@freebsd.org>; Wed, 28 Jul 2010 19:50:53 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9])
	by mx1.freebsd.org (Postfix) with ESMTP id D847F8FC20
	for <freebsd-pf@freebsd.org>; Wed, 28 Jul 2010 19:50:52 +0000 (UTC)
Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.2) by
	mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS)
	id 8.1.393.1; Wed, 28 Jul 2010 20:39:58 +0100
Received: from PEMEXMBXVS02.jellyfishnet.co.uk.local ([192.168.65.37]) by
	pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi;
	Wed, 28 Jul 2010 20:39:56 +0100
From: Greg Hennessy <Greg.Hennessy@nviz.net>
To: "Spenst, Aleksej" <Aleksej.Spenst@harman.com>, "freebsd-pf@freebsd.org"
	<freebsd-pf@freebsd.org>
Date: Wed, 28 Jul 2010 20:39:55 +0100
Thread-Topic: For better security: always "block all" or "block in all" is
	enough?
Thread-Index: AcsuhnPxDAhf7j3xSK6TAzUseHLnBQABes/Q
Message-ID: <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local>
References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com>
In-Reply-To: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US, en-GB
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: 
Subject: RE: For better security: always "block all" or "block in all" is
 enough?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2010 19:50:53 -0000


> What disadvantages does it have in term of security in comparison with
> "block all"? In other words, how bad it is to have all outgoing ports alw=
ays
> opened and whether someone can use this to hack the sysem?
>=20

It's the principle of 'least privilege'.  Explicitly allow what is permitte=
d, deny everything else.=20

It should also be=20

	block log all

A default block policy without logging has a certain ass biting inevitabili=
ty to it.=20



Greg
=20