Hello,
Comparing the default nft rulesets of firewalld and ufw (on Debian 11), I note that ufw provides a qualified 'policy drop' for input, but firewalld does not.
Isn't this less secure, and shouldn't it?
With thanks, Gareth
On Sun, Jul 10, 2022 at 06:44:20AM +0100, Gareth Evans wrote:
Hello,
Comparing the default nft rulesets of firewalld and ufw (on Debian 11), I note that ufw provides a qualified 'policy drop' for input, but firewalld does not.
I'm not sure what you mean. firewalld denies most traffic by default. Exception is that some zones, e.g. public, allow some things by default, e.g. ssh.
# nft list chain inet firewalld filter_INPUT table inet firewalld { chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept jump filter_INPUT_ZONES ct state invalid drop reject with icmpx admin-prohibited <--- catch-all reject } }
The chain policy is not necessary because there is an explicit rule at the end of the chain.
On Mon 11 Jul 2022, at 13:23, Eric Garver egarver@redhat.com wrote: [...]
# nft list chain inet firewalld filter_INPUT table inet firewalld { chain filter_INPUT {
[...]
reject with icmpx admin-prohibited <--- catch-all reject }
}
The chain policy is not necessary because there is an explicit rule at the end of the chain.
That had slipped my notice, thank you for confirming.
Kind regards, Gareth
firewalld-users@lists.fedorahosted.org