Default policy for OUTPUT

linux iptables

Solution 1:

The "risk" is that any process on the machine is then allowed to initiate a network connection and send network packets.

That means there is nothing on the server to block any user, legitimate or not, nor any process from potentially trying to connect any other networked device within your own network or possibly the whole internet.

Often that isn't much of a problem, it is considered the responsibility of the remote systems to restrict incoming traffic in the first place and you might have firewall policies already on critical points in your network.

Setting the default policy to anything else, for instance REJECT, means that you will need to explicitly authorise all legitimate traffic flows, which requires a thorough understanding of your system and all applications and dependancies that run on your server. Often that means a considerable administrative burden.

The benefit is of course that the potential impact of misconfigured application is mitigated, it might make it more difficult to abuse a system, although on a thoroughly compromised system the attacker can always simply switch off a software firewall...

From a security perspective it is of course quite simple, anything that isn't explicitly allowed is to be denied. That makes a lot of sense in an environment with strong security requirements and for instance on a dedicated firewall, on a multi-purpose server doing so might be prohibitively difficult.

Related

How do I automatically approve important updates from WSUS?
Multiple DHCP uplinks - How to ignore DNS and default route on all but one?
yum list available - not showing all packages
DNS settings for DCs in remote sites
Security Risks of a One-Way Trust Relationship between Domains
Reverse DNS does not contain the hostname error from MXToolBox
Is it possible to / how would one include vars files from other vars files?
How does nginx distribute traffic among IPs associated with an upstream DNS name?
how to specify a partial domain in blacklist with SpamAssassin
I setup a DNS but I don't Get Response From my Domain And IntoDNS have errors why?
Copy mails from old to new postfix installation
Do I need 1 RDS Cluster for each DB or a single RDS Cluster for all my DBs?