Date: Wed, 28 Jul 2010 20:55:31 +0200 From: "Spenst, Aleksej" <Aleksej.Spenst@harman.com> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: For better security: always "block all" or "block in all" is enough? Message-ID: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com>
next in thread | raw e-mail | index | archive | help
Hi All, I have to provide for my system better security and I guess it would be bet= ter to start pf.conf with the "block all" rule opening afterwards only thos= e incoming and outcoming ports that are supposed to be used by the system o= n external interfaces. However, it would be easier for me to write all pf r= ules if I start pf.conf with "block in all", i.e. if I block only traffic c= oming in from the outside and open all ports for outgoing traffic. - Incoming ports: only udp/68 (for dhcp client) and http/80 (for http serve= r) always open; - Outgoing ports: all ports always opened. All traffic going outside from t= he system has "keep state"; What disadvantages does it have in term of security in comparison with "blo= ck all"? In other words, how bad it is to have all outgoing ports always op= ened and whether someone can use this to hack the sysem? Thanks a lot for any tips!! Aleksej.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20290C577F743240B5256C89EFA753810C46894B92>