The death of policy (WAS -> Re: [ANNOUNCE] Release of iptables-1.4.3.2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: netfilter@vger.kernel.org
Subject: The death of policy  (WAS -> Re: [ANNOUNCE] Release of iptables-1.4.3.2)
Date: Fri, 10 Apr 2009 12:54:54 +0200	[thread overview]
Message-ID: <49DF257E.3020702@freemail.hu> (raw)
In-Reply-To: <49DEF36A.8010509@chello.at>

Mart Frauenlob írta:
> More continuous would be IMHO:
>
> - filter table - DROP allowed and right - DROP policy = good
> - mangle table - DROP  prohibited - DROP policy = prohibited
> - nat table - DROP prohibited - DROP policy = prohibited
> - raw table - DROP allowed and right for avoiding conntrack - DROP 
> policy = prohibited
If I follow you then I would say that we do not need any policy in 
mangle, nat, raw table...
Just simply accept any packet..
> Again, why allow, what is considered wrong?
> If you know what you are doing, filtering in the nat table will do 
> what you want, because you know about the special behaviour.
> Only the lack of knowledge makes things go wrong.
(nod)
> And that is the point. If you know iptables, you do your filtering in 
> the filter table, or in the raw table (to avoid conntrack for some 
> blacklist kind of stuff).
Maybe we could delete that conntrack entry if we drop a packet in the 
filter table...

> Many of them are unexperienced. Therefor the concept should be clear, 
> continuous and error messages should be understandable.
(nod)
> Preventing the user from doing nonsense. It's about the security, not 
> some trivial thing...
(nod)(nod)
>
> Well, just thoughts about my favorite software... :)
>
lol

One more thing...
If there is no policy in the tables (except filter) then the ACCEPT 
target is (MAYBE) useless in those tables...

Swifty

     prev parent reply	other threads:[~2009-04-10 10:54 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-06 11:38 [ANNOUNCE] Release of iptables-1.4.3.2 Pablo Neira Ayuso
2009-04-06 14:18 ` Dennis J.
2009-04-07  4:26   ` Eray Aslan
2009-04-09  8:31     ` Mart Frauenlob
2009-04-09 13:27       ` Eray Aslan
2009-04-09 17:02         ` Payam Chychi
2009-04-09 19:27         ` Vincent Bernat
2009-04-09 13:29       ` Eray Aslan
2009-04-10  7:21         ` Mart Frauenlob
2009-04-10 10:54           ` Gáspár Lajos [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49DF257E.3020702@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.