Date: Wed, 28 Jul 2010 20:39:55 +0100 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: "Spenst, Aleksej" <Aleksej.Spenst@harman.com>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: For better security: always "block all" or "block in all" is enough? Message-ID: <9E8D76EC267C9444AC737F649CBBAD902769BF6F5B@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C46894B92@HIKAWSEX01.ad.harman.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> What disadvantages does it have in term of security in comparison with > "block all"? In other words, how bad it is to have all outgoing ports alw= ays > opened and whether someone can use this to hack the sysem? >=20 It's the principle of 'least privilege'. Explicitly allow what is permitte= d, deny everything else.=20 It should also be=20 block log all A default block policy without logging has a certain ass biting inevitabili= ty to it.=20 Greg =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9E8D76EC267C9444AC737F649CBBAD902769BF6F5B>