RE: new iptables user - default options

[Ray Leach <raymondl@knowledgefactory.co.za>]

[-- Attachment #1: Type: text/plain, Size: 3056 bytes --]

On Tue, 2003-10-28 at 14:54, Knight, Steve wrote:
> Thanks Robert - I appreciate your response.
> 
> I have to say I'd agree - it seems to be more of a belt and braces approach
> to use your suggestion, and more in the spirit of what we were told in
> checkpoint kindergarten ["deny everything unless explicitly asked" - also
> sounds a bit like being married].
> 
> Are the rules in each chain processed top down?
> 
Yes, and possibly why the default for deadbat is to create a user chain
- user chains are called from the default chains (or other user chains),
then the rules are checked, when a match is found or the end of the user
chain is reached, execution/parsing continues from where the user chain
was called. This is one method of setting up logging rules, and also
makes debugging a work-in-progress firewall setup easier.

> steve
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Robert P. J. Day [mailto:rpjday@mindspring.com] 
> Sent: 28 October 2003 12.34
> To: Knight, Steve
> Cc: netfilter@lists.netfilter.org
> Subject: Re: new iptables user - default options
> 
> 
> On Tue, 28 Oct 2003, Knight, Steve wrote:
> 
> > Hi there
> > 
> > Rh9 has installed all the default filter policies as "accept" and then
> > forwards all packets from INPUT and FORWARD to a Lokkit chain.
> > 
> > Is this normal?  It seems to me [as a iptables n00b, although I am
> > checkpoint certified] to be ok, as eventually the traffic is hitting the
> > detailed lokkit chain, but is this the default install options that
> everyone
> > gets?
> 
> it seems that it's just a philosophical difference.  you can set the
> DENY policy, then explicitly accept only what you want, or as RH did,
> accept everything only to pass it all to a user-defined chain that
> effectively does the same thing.
> 
> personally, i'd rather see a DENY policy so that, if i somehow messed
> up some of my rules, i'm more likely to be *more* restrictive than
> less restrictive.  but RH's approach seems no worse, just different.
> 
> rday
> 
> 
> 
> .
> 
> 
> -----------------------------------------------------------------------
> Information in this email may be privileged, confidential and is 
> intended exclusively for the addressee.  The views expressed may
> not be official policy, but the personal views of the originator.
> If you have received it in error, please notify the sender by return
> e-mail and delete it from your system.  You should not reproduce, 
> distribute, store, retransmit, use or disclose its contents to anyone.
>  
> Please note we reserve the right to monitor all e-mail
> communication through our internal and external networks.
> -----------------------------------------------------------------------
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]