davidsen at tmr.com
Wed Aug 18 13:52:18 UTC 2010
Genes MailLists wrote:
> On 08/17/2010 02:08 AM, Tom H wrote:
> #! /bin/sh
>> $IPTABLES --table filter --policy INPUT ACCEPT
>> $IPTABLES --table filter --policy FORWARD ACCEPT
>> $IPTABLES --table filter --policy OUTPUT ACCEPT
> Not saying I'm commenting on the wisdom of the rules one way or
> another - just asking - Does one really want default policy of accept on
> all of these ?
The answer is for a desktop they are adequate, for a firewall absolutely not. I
boot my firewall and setup using bash scripts to change anything. My firewal
config tool is vi. And none of my policies is permissive, open policies follow
the 'anything not forbidden is allowed' rule, while my choice is 'anything not
explicitly permitted is forbidden.'
I also use the log facility heavily on a firewall, to catch attacks. I log to a
debug file and check it regularly from a perl script.
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users