Drop Input Policy

Drop Input Policy

[netfilter]

If the default INPUT chain policy is set to drop is there any reason to
explicitly add rules to drop packets within the firewall script?  I am
reading various firewall books and it is recommended that you set the
default INPUT chain to drop. After this is done, they go on to construct
a firewall to drop all sorts on packets on the INPUT chain.  I am
somewhat confused why these rules are needed when your default is to
drop.  Can you simply just add accept rules?  Is the default drop policy
a  safety net and it is good practice to explicitly drop packets within
your script?

Thanks    

Re: Drop Input Policy

[Cedric Blancher]

Le mardi 14 février 2006 à 12:02 -0700, netfilter@buglecreek.com a
écrit :
> If the default INPUT chain policy is set to drop is there any reason to
> explicitly add rules to drop packets within the firewall script?

Well, it depends...

Take a very specific configuration in which you use a user chains tree
to reduce your ruleset complexity and thus increase performance compared
to a flat ruleset. In this very case, you want to drop packets at the
end of terminal user chains. As user chains do not have policy, you have
to set a DROP rule at the end.

To be less specific, you may want to drop packets as soon as you know
they must be, again for performance matters. As an example, if you don't
want to accept INVALID packets, it's useless (and a loss of processing)
to have them go through your entire ruleset so they get dropped by
policy. You will put an -m state --state INVALID -j DROP rule very
early, in the same mind lots of people accept ESTABLISHED/RELATED
packets at top of ruleset for they constitute the very big part of the
traffic.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!