They know....
: On a real firewalling System there are NO untrusted users.
Not true. On a firewall system, there can be trusted users that have
had their accounts penetrated (since the bad guys do have information
:-). Generally, a firewall system you want no users and no remote
access...
This isn't a STO argument. The argument here is that in order to
discover what can and can't go through the firewall, they will likely
trip over things that you are logging. If you don't give them a list,
then it is must more likely that they will show up in your logs. This
isn't saying that they can't find this information out, merely that
doing so will likely put you on their trail.
Finally, the maxim in the security community is "All things not
permitted are forbidden." It doesn't hurt to do this and will make
the job harder for some people. Security is in the business of making
things harder... This is different than other systems where "show all
things by default"...
For a good book on why all of this is needed, see the book _Firewalls_
_and_Internet_Security by Cheswick and Bellovin. ISBN 0-201-63357-4.
Warner