With a default block, both in and out, I was wondering what is the best approach to
whitelist services. To do:
pass in on $internal inet proto tcp to any port $tcp_services
Or:
pass out inet $external proto tcp to any port $tcp_services
I know that with the pass out on the $external then the router itself is also blocked
from sending data out on other than these tcp service ports, while with pass in on
internal, only the machines attached to the internal interface is blocked from other
than the tcp services.
I'm thinking that everything should be blocked and as such also the router itself,
which is best done by limiting the external interface from sending stuff out. Any
machine attached to the internal interface that tries to connect on any port, can't
get any further anyway since the external interface cannot send except in the
whitelisted tcp/udp services.
Any advice?
No comments:
Post a Comment