iptables SECURITY - default settings
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Thu Sep 9 21:34:29 UTC 2004
Am Do, den 09.09.2004 schrieb Wal um 23:04:
> I am suggesting a more secure default setting-
> -I SecLev505-INPUT -p all -j DROP
> Alternately (with possible issue when rules actually get applied)-
> -A SecLev505-INPUT -p all -j DROP
I would heavily dislike a default DROP rule setup with iptables. There
is a long discussion about DROP versus REJECT in the firewall forums,
and I follow the arguments for REJECTing. One reason which affects users
of Fedora: a DROP policy / default rule makes it much harder for anyone
and especially less experienced users to down track problems cause by
firewalling with no real gain on the other side. It is and stays a myth
that DROPing pakets makes a system invisible for attackers (buzzword
"stealth mode" in PFW products). For the majority of users a feedback in
form of an ICMP port unreachable is most useful.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp
Serendipity 23:22:47 up 10 days, 20:39, load average: 0.38, 0.42, 0.37
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20040909/cfb7a997/attachment.sig>
More information about the fedora-test-list
mailing list