Date: Thu, 29 Jul 2010 03:52:52 +0100 From: Peter Maxwell <peter@allicient.co.uk> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: "Spenst, Aleksej" <Aleksej.Spenst@harman.com>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: For better security: always "block all" or "block in all" is enough? Message-ID: <AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ@mail.gmail.com> In-Reply-To: <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 July 2010 20:39, Greg Hennessy <Greg.Hennessy@nviz.net> wrote: > > > What disadvantages does it have in term of security in comparison with > > "block all"? In other words, how bad it is to have all outgoing ports > always > > opened and whether someone can use this to hack the sysem? > > > > It's the principle of 'least privilege'. Explicitly allow what is > permitted, deny everything else. > > It should also be > > block log all > > A default block policy without logging has a certain ass biting > inevitability to it. > > However not as much "ass biting" potential as with logging on. Ask anyone who has done commercial firewall work and they'll tell you not to enable logging on the default deny/drop rule unless you are debugging/testing - think denial of service.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTiknzx6-MgHMgpiARNZ43j00Wy_gORt%2BM9AXV6FZ>