Hi, > For what it's worth, the Swisscom approach seems sensible to me. At > least if I understand it correctly, in that they by default only block > ports associated with application protocols known to be insecure, meant > for home network use only, etc. All other ports and protocols not on > the blacklist are let through in both directions. As far as I know this > has been working out fine for them.
I like that approach as well. It might be generalised into "ports <= x are blocked by default and can be opened manually, ports > x are open by default". Whether x=1024, x=10000 or x=16384 can be discussed. If usually services aren't listening on those high-numbered ports then the firewall blocking incoming packets for them doesn't make much of a difference anyway. Cheers, Sander
signature.asc
Description: Message signed with OpenPGP using GPGMail
