There is a current thread over at Wilders Security Forums discussing this same topic. Unfortunately it got a bit off track when the firewall experts chimned in. The OP did post on that thread the PF default rules for system and svchost.exe. I have attached those.
For people not familar with PF, the default settings are high for Internet secuirty and low for network(LAN) settings for the "Home" profile. That is what those "H" and "L" columns correspond to on the attachments pics.
The important point to note is that by default, PF allows file/drive sharing. etc. It also allows PPTP TCP outbound to port 1723 along with some other rule goodies. In contrast, the default WIN 7 firewall setting does not allow file sharing although it does allow remote connections; why I don't know.
I also noticed that the DNS rule is missing in the PF svchost.exe screen shot. I know it existed in my prior PF setup and it did allow inbound UDP to port 53 - go figure.
We all know that the first thing you turn off in any firewall setting is file sharing unless you absolutely need it.
-Edit- I decided to post the link to that Wilder's thread I referred to above:
http://www.wilderssecurity.com/showthread.php?s=da5fa5e24de357a21ada2daab2e84a01&t=322044In it "Stem" a noted web firewall heavy gives an enlighting discussion on what the current status is in retail firewalls as it applies to "statefull inspection." I believe most people assume that with that feature, outbound packets are magically assigned a reference number that is used to id correspending inbound packets. Surprise! Only two known firewalls do; Norton's(limited) and LnL. As he notes with enough effort, most inbound packets can be "spoofed."
