On 4/28/16, Green Dream greendream848@gmail.com wrote:
The likes of GRC.COM http://grc.com/ make you think that any port not
blocked... is bad.
I wondered why if nothing there
Because there is a difference between a closed port and a filtered port. Deny vs drop. The less of a fingerprint you offer to attackers, the better. It's security by obscurity to an extent, but even a response from a closed port can give away clues about the software, OS and network stack that's running.
Another reason is that by filtering as root, it requires anything that does happen to eascalate to root and unfilter before being able using any other port. Another some exploit in part of stack responsible for sending the deny. Tradeoff: management overhead, possible lockout of yourself. Backup, practice, document, test.