On 28 July 2010 20:39, Greg Hennessy <greg.henne...@nviz.net> wrote:
> > > What disadvantages does it have in term of security in comparison with > > "block all"? In other words, how bad it is to have all outgoing ports > always > > opened and whether someone can use this to hack the sysem? > > > > It's the principle of 'least privilege'. Explicitly allow what is > permitted, deny everything else. > > It should also be > > block log all > > A default block policy without logging has a certain ass biting > inevitability to it. > > However not as much "ass biting" potential as with logging on. Ask anyone who has done commercial firewall work and they'll tell you not to enable logging on the default deny/drop rule unless you are debugging/testing - think denial of service. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
