Hudson Delbert J Contr 61 CS/SCBN wrote: > this should be a basic rule of netsec 101 ... > > one should have to 'turn' on any allowed traffic out of the box. > > i.e......the firewall should not allow ANY traffic by default until > specifically > TOLD TO DO SO BY THE ADMIN. > > this is a good thing. Just my two cents on this: If your firewall is designed correctly, there shouldn't be any network available services running baring SSH. Because of this, if a hacker gets into your firewall I assume that 99.9999% of the time, they'll have root access. Any hacker that could hack into your Linux box will be able to disable any iptables rules in a second. Hence, blocking the OUTPUT chain on a firewall does NOT secure you against hackers. It does protect you against yourself if you really need it. For a tightly regimented network with many admins of varying experience, this might be a sane policy to implement. Beyond that, its simply beurocratic overhead.
