The death of policy (WAS -> Re: [ANNOUNCE] Release of iptables-1.4.3.2)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mart Frauenlob írta:
More continuous would be IMHO:

- filter table - DROP allowed and right - DROP policy = good
- mangle table - DROP  prohibited - DROP policy = prohibited
- nat table - DROP prohibited - DROP policy = prohibited
- raw table - DROP allowed and right for avoiding conntrack - DROP policy = prohibited
If I follow you then I would say that we do not need any policy in mangle, nat, raw table...
Just simply accept any packet..
Again, why allow, what is considered wrong?
If you know what you are doing, filtering in the nat table will do what you want, because you know about the special behaviour.
Only the lack of knowledge makes things go wrong.
(nod)
And that is the point. If you know iptables, you do your filtering in the filter table, or in the raw table (to avoid conntrack for some blacklist kind of stuff).
Maybe we could delete that conntrack entry if we drop a packet in the filter table...

Many of them are unexperienced. Therefor the concept should be clear, continuous and error messages should be understandable.
(nod)
Preventing the user from doing nonsense. It's about the security, not some trivial thing...
(nod)(nod)

Well, just thoughts about my favorite software... :)

lol

One more thing...
If there is no policy in the tables (except filter) then the ACCEPT target is (MAYBE) useless in those tables...

Swifty

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux