Leonardo Rodrigues <leolistas <at> solutti.com.br> writes: > There's no right or wrong on how your FORWARD default rule should > be. Being DROP or ACCEPT depends on your network security policies. > > Being ACCEPT the default action for FORWARD, your linux router will > forward anything from one side to the other, unless it's explicity > DROPped on the rules. Being DROP the default action, everything will be > dropped, except explicitely ACCEPTed by your rules. > > Which one fullfit you demands ? So that's the right one for you ! > No one can tell you, giving only the information you wrote, that DROP or > ACCEPT is right or wrong. There's really no right or wrong here, there's > what fullfilts your demands/needs and what doesnt. Thanks for the reply, Leonardo. I'm not asking someone else to tell me what is the right thing to do. What I'm wondering is what kind of damage someone else on the network could use a machine with a permissive forwarding policy to do. Spoofing obviously, but anything else? With that better understanding, I'll be equipped to make that call. In the larger context, the fact that several popular Linux distributions come configured with a firewall that allows all forwarding, all incoming connections and all outgoing connections is somewhat surprising. Mark -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
