Re: Please help confused iptables user

Moe Trin wrote:
> On 24 Jan 2006in the Usenet newsgroup comp.security.firewalls, in article
> <43ng5cF1ji60uU1@xxxxxxxxxxxxxx>, Ansgar -59cobalt- Wiechers wrote:
>> Moe Trin wrote:
>>> Set the default, then drop all rules. Don't you think it might be
>>> better the other way?
>>
>> No. Flushing doesn't affect the default policy,
>
> I'm used to having rules follow in order
>
>> and by setting the default policy after flushing the chains one might
>> get a (small) period of time where the chains may inadvertently
>> accept packets.
>
> I'm also used to setting the firewall before starting any network
> services. Without network services (daemons, and the superserver), the
> only thing in or out is ICMP (and we bring our public facing systems
> up with ICMP echo disabled).

Despite of what you're used to it is neither recommended nor a good
practice to flush the chains first and set the default policy
afterwards. Don't do it.

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
.

Relevant Pages

  • Re: Iptables new chain policy
    ... Set the policy for the chain to the given target. ... See the section TARGETS for the legal targets. ... Only built-in chains can have ...
    (comp.os.linux.security)
  • Re: Redhat 7.3 firewall issues
    ... Do I need to have a DROP/REJECT statement after my INPUT and ... Wes Ream wrote: ... >> Chain OUTPUT (policy ACCEPT) ... > OUTPUT chains and no DROP or REJECT at the end of the chains, ...
    (comp.os.linux.security)
  • Re: Port 135 ???
    ... I'm using the "limit" option to stop sucking up my logfiles: ... The default policy is drop, for all chains. ... Michael Heiming ...
    (comp.os.linux.networking)
  • Re: Blocking ports scan
    ... "Michael (Cegonha)" wrote: ... It is a list of CHAINS in the filter table. ... they have a default policy which is ...
    (comp.os.linux.security)