Re: RFC - sysadmin guidelines

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 16 Jan 2009, Frank Chiulli wrote:

> Mike,
> First let me say that the examples are a great addition to the page.
>
> I was looking at the iptables sample configuration and had some
> questions.  I compared your suggested configuration to my current
> configuration (Fedora 10).  With the exception of the lines with
> '--tcp-flags' in your sample configuration, they're pretty close.  I
> don't have those yet.  The first three lines that start with '-A' in
> your sample are the same as mine except the order is different.  Does
> the order make a difference?
>
> Here are the lines from my file:
> -A INPUT -m state --state ESTABLISHED,RELATED -j accept
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
>
> Here are yours:
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
>

The order isn't that important though I should really have
established,related come first.  The main reason for this is because
IPTables runs like a list, any already approved content doesn't have to
get checked against much of the list but instead is automatically
approved.

This has security implications but for most setups its a good policy.
I'll actually move that up now and refresh that page soon.

	-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux