Fri Nov 20, 2020 5:39 pm
Default firewall has one LAN and you usually trust connected devices, so everything is allowed. But it makes sense to make other things more restricted. For example guests are not necessarily trusted, so they can get just port 53 for dns and that's enough (dhcp uses raw sockets, so it doesn't need to be allowed in IP firewall).
I prefer to allow few needed things and block everything else. It won't make any difference if nothing is listening on other ports. But if it does and you miss it, it won't be accidentally open without you knowing about it.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.