PF Any reason to not pass out all?

P

phil5

I am running a webserver in a FreeBSD jail and use pf to redirect traffic to the jail.

Is there particular reason not to pass out all initiated traffic?

Code: 
pass out quick all
 
As you can see this is my first post, so beware of what I say:)

If security is truly a concern, traffic should be allowed only when required, and not just blocked what is not needed, because you may not know what traffic wants to go out. Thinking about it, why should a webserver initiate outbound traffic? Any way, should your system ever get compromised, blocking locally initiated outbound traffic has the potential to block malware contacting command and control server and prevent further damage.

Just my $0.02
 
phil5 said:
Is there particular reason not to pass out all initiated traffic?
Click to expand...
That's going to depend on your web application. Some applications need to do DNS lookups, or send mail. You would need to allow that traffic. Starting off with blocking everything is usually a good thing but you may need to open up things in order to make it work again.
 
yes there is a reason for not passing out all traffic: security. Just pass out what you need.

why? Just imagine your site gets compromised. even if its just a normal user, your jail could be used to send spam (often happend to my customers sites until I all locked them down), or be used as a jumphost to attack other servers, or anything else you can or can not imagine.
 
Not specifically relevant on FreeBSD servers but if you run proprietary software that you do not necessarily trust (i.e in Linux compat, Wine, Google Chrome, Java) then I like to block outgoing traffic to prevent creepy arrogant practices like analytics, telemetry plaguing the current IT world.

FreeBSD doesn't have an application level firewall but you can kinda get round it by blocking all traffic apart from that by a specific user (i.e trusted) and then run i.e su -l trusted -c mytrustedapp
 
Thanks everyone for the info.

I changed my rules to allow outgoing traffic only on web and ssh ports. I was a bit reluctant at first because I felt I would lock myself out...

kpedersen said:
FreeBSD doesn't have an application level firewall but you can kinda get round it by blocking all traffic apart from that by a specific user (i.e trusted) and then run i.e su -l trusted -c mytrustedapp
Click to expand...

I had never heard of "trusted". Do you have a link for it in the documentation? I am having a hard time finding it.
 
phil5 said:
I had never heard of "trusted". Do you have a link for it in the documentation? I am having a hard time finding it.
Click to expand...

Ah, that is probably my example being awkward. "trusted" is my user that I allow firewall out privileges to.


su -l <username> -c <command>
 
You must log in or register to reply here.
Back
Top