Re: Please help confused iptables user
- From: Ansgar -59cobalt- Wiechers <usenet-2006@xxxxxxxxxxxxxxxx>
- Date: 25 Jan 2006 17:31:42 GMT
Moe Trin wrote:
> On 24 Jan 2006in the Usenet newsgroup comp.security.firewalls, in article
> <43ng5cF1ji60uU1@xxxxxxxxxxxxxx>, Ansgar -59cobalt- Wiechers wrote:
>> Moe Trin wrote:
>>> Set the default, then drop all rules. Don't you think it might be
>>> better the other way?
>> No. Flushing doesn't affect the default policy,
> I'm used to having rules follow in order
>> and by setting the default policy after flushing the chains one might
>> get a (small) period of time where the chains may inadvertently
>> accept packets.
> I'm also used to setting the firewall before starting any network
> services. Without network services (daemons, and the superserver), the
> only thing in or out is ICMP (and we bring our public facing systems
> up with ICMP echo disabled).
Despite of what you're used to it is neither recommended nor a good
practice to flush the chains first and set the default policy
afterwards. Don't do it.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq
- Prev by Date: Re: Norton vs Zone Alarm
- Next by Date: Taming the elusive svchost.exe in WindowsXP
- Previous by thread: Re: Please help confused iptables user
- Next by thread: Re: Please help confused iptables user