On Mon, 2005-04-25 at 17:47:29 +0930, alex wilkinson proclaimed...
> Question: Isn't this a bad thing ? I would have thought it is best
> practice to only allow incomming and outgoing connections
> _explicitly_. With the reason being some OS upload information to
> base camp (redmond) for statistical analsyis.
I'm sure it's great for what Daniel does; it is for me.
Why don't you stop using the operating systems from Redmond (I know,
unlikely to happen)? Or read the pf.conf(5) and look for the "block"
keyword.
> I do something along the lines of:
>
> pass out on $EXT_IF inet proto tcp from $INT_IF:network to any \
> port {80,443,22,21,20,6667} flags S/SA keep state
..and when you try to use a PASV ftp connection, things die.
> So in a nutshell, do most of you guys just allow all TCP/UDP traffic
> out ?
Don't forget ICMP.
> Or is what I am currently doing better ?
Sounds like it's better for what you're doing, but you probably already knew
that.
- Eric
