The death of policy (WAS -> Re: [ANNOUNCE] Release of iptables-1.4.3.2)

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: netfilter@vger.kernel.org
Subject: The death of policy  (WAS -> Re: [ANNOUNCE] Release of iptables-1.4.3.2)
Date: Fri, 10 Apr 2009 12:54:54 +0200	[thread overview]
Message-ID: <49DF257E.3020702@freemail.hu> (raw)
In-Reply-To: <49DEF36A.8010509@chello.at>

Mart Frauenlob írta:
> More continuous would be IMHO:
>
> - filter table - DROP allowed and right - DROP policy = good
> - mangle table - DROP  prohibited - DROP policy = prohibited
> - nat table - DROP prohibited - DROP policy = prohibited
> - raw table - DROP allowed and right for avoiding conntrack - DROP 
> policy = prohibited
If I follow you then I would say that we do not need any policy in 
mangle, nat, raw table...
Just simply accept any packet..
> Again, why allow, what is considered wrong?
> If you know what you are doing, filtering in the nat table will do 
> what you want, because you know about the special behaviour.
> Only the lack of knowledge makes things go wrong.
(nod)
> And that is the point. If you know iptables, you do your filtering in 
> the filter table, or in the raw table (to avoid conntrack for some 
> blacklist kind of stuff).
Maybe we could delete that conntrack entry if we drop a packet in the 
filter table...

> Many of them are unexperienced. Therefor the concept should be clear, 
> continuous and error messages should be understandable.
(nod)
> Preventing the user from doing nonsense. It's about the security, not 
> some trivial thing...
(nod)(nod)
>
> Well, just thoughts about my favorite software... :)
>
lol

One more thing...
If there is no policy in the tables (except filter) then the ACCEPT 
target is (MAYBE) useless in those tables...

Swifty

     prev parent reply	other threads:[~2009-04-10 10:54 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-06 11:38 [ANNOUNCE] Release of iptables-1.4.3.2 Pablo Neira Ayuso
2009-04-06 14:18 ` Dennis J.
2009-04-07  4:26   ` Eray Aslan
2009-04-09  8:31     ` Mart Frauenlob
2009-04-09 13:27       ` Eray Aslan
2009-04-09 17:02         ` Payam Chychi
2009-04-09 19:27         ` Vincent Bernat
2009-04-09 13:29       ` Eray Aslan
2009-04-10  7:21         ` Mart Frauenlob
2009-04-10 10:54           ` Gáspár Lajos [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49DF257E.3020702@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox