With a default block, both in and out, I was wondering what is the best approach to whitelist services. To do:
pass in on $internal inet proto tcp to any port $tcp_services Or: pass out inet $external proto tcp to any port $tcp_services I know that with the pass out on the $external then the router itself is also blocked from sending data out on other than these tcp service ports, while with pass in on internal, only the machines attached to the internal interface is blocked from other than the tcp services. I'm thinking that everything should be blocked and as such also the router itself, which is best done by limiting the external interface from sending stuff out. Any machine attached to the internal interface that tries to connect on any port, can't get any further anyway since the external interface cannot send except in the whitelisted tcp/udp services. Any advice?
