Date: Wed, 28 Jul 2010 15:29:38 -0400 From: Michael Proto <mike@jellydonut.org> To: "Spenst, Aleksej" <Aleksej.Spenst@harman.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: For better security: always "block all" or "block in all" is enough? Message-ID: <AANLkTi=fxore1SZZx9JNf6A3NeomX_QW-VT=byruLDZe@mail.gmail.com> In-Reply-To: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 28, 2010 at 2:55 PM, Spenst, Aleksej <Aleksej.Spenst@harman.com> wrote: > Hi All, > > I have to provide for my system better security and I guess it would be b= etter to start pf.conf with the "block all" rule opening afterwards only th= ose incoming and outcoming ports that are supposed to be used by the system= on external interfaces. However, it would be easier for me to write all pf= rules if I start pf.conf with "block in all", i.e. if I block only traffic= coming in from the outside and open all ports for outgoing traffic. > > - Incoming ports: only udp/68 (for dhcp client) and http/80 (for http ser= ver) always open; > - Outgoing ports: all ports always opened. All traffic going outside from= the system has "keep state"; > > What disadvantages does it have in term of security in comparison with "b= lock all"? In other words, how bad it is to have all outgoing ports always = opened and whether someone can use this to hack the sysem? > > Thanks a lot for any tips!! > Aleksej. > Outgoing ports aren't really used as an attack on that system, but as a jump-point to other systems. Say server A allows all outbound traffic. Server B, with sensitive data on it, blocks all inbound access from the Internet but does allow connections from the network where server A is located. Someone hacks server A, and now they have a route to attack server B they didn't have before. Ideally, limiting outgoing traffic to only intended hosts and/or ports is preferred from a security perspective, but you also have to frame it in the context of what the system will be doing. If you have a good knowledge of what the system needs for both inbound and outbound connectivity, it would probably be a good idea to restrict access both ways. I say probably because if the system's outbound traffic profile is intended to change, requiring changes to the firewall ruleset on a regular basis, it wouldn't make much sense. If you know there's outbound traffic you definitely don't need, blocking it isn't a bad idea. For a system with only public IP addresses, denying traffic to RFC1918 space is a good example. -Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=fxore1SZZx9JNf6A3NeomX_QW-VT=byruLDZe>