Must ports be explicitly blocked, or is "default drop" goo..

Archived from groups: comp.security.firewalls (More info?)

javaguy_in_wheaton wrote:

>In the books and Usenet posts I've read there is a lot of concern
>about ensuring your firewall blocks access to exploited ports, such as
>31337. But suppose your firewall looks like:
>
>iptables -P INPUT DROP
>iptables -P OUTPUT DROP
>iptables -P FORWARD DROP
>
>... now enable some OUTPUT ports for HTTP, DNS, etc.
>
>If I don't explicitly enable the exploited ports, isn't this then
>sufficient blocking. Or, in other words, why is the explicit blocking
>text also required?

It makes people feel safer. If your default policy is DROP, then only
what you specifically allow will make it through.

Archived from groups: comp.security.firewalls (More info?)

Martin wrote:

>javaguy_in_wheaton wrote:
>
>> In the books and Usenet posts I've read there is a lot of concern
>> about ensuring your firewall blocks access to exploited ports, such as
>> 31337. But suppose your firewall looks like:
>>
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>>
>> ... now enable some OUTPUT ports for HTTP, DNS, etc.
>>
>> If I don't explicitly enable the exploited ports, isn't this then
>> sufficient blocking. Or, in other words, why is the explicit blocking
>> text also required?
>
>It isn't. It's only there for marketing reasons. It doesn't do anything.

LOL! Of course it does, but it's merely redundant, as the "catch-all"
policy will deal with it when it finds no rules that match. Just
purely out of curiousity, why would you say it's marketing reasons?