On Mon, 6 Oct 2008 02:07:04 -0700, Jeremy Chadwick <[EMAIL PROTECTED]> wrote: >>> This is incredibly draconian. :-) I was trying my best to remain >>> realistic. >> >> It's no such thing. This is the recommended standard practice when >> designing firewalls: always start from the premise that all traffic >> will be dropped by default and add specific exceptions to allow the >> traffic you want. [...] > > What I mean by 'draconian': "block drop all" includes both incoming > *and* outgoing traffic. > > I have absolutely no qualms with "block in all", but "block out all" > is too unrealistic, depending greatly on what the purpose of the > machine is. Any outbound sockets are going to be allocated > dynamically (e.g. non-static port number), so there's no effective > way to add pass rules for outbound traffic. Using uid/gid is not > sufficient. > > I often advocate using "block in all", "pass out all", and then adding > specific "pass" rules for incoming traffic (e.g. an Internet request > wishing to speak to BIND on port 53, Apache on 80/443, etc.).
Ah! :) I was a bit confused in my last post then. I thought you were talking about `block in all' too. > Good discussion! (And I hope the OP is learning something :-) ) :-) _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
