Re: Implications of a permissive FORWARD chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2014-02-19 09:02, Mark Fox wrote:
Leonardo Rodrigues writes:
     There's no right or wrong on how your FORWARD default rule should
be. Being DROP or ACCEPT depends on your network security policies.

Being ACCEPT the default action for FORWARD, your linux router will
forward anything from one side to the other, unless it's explicity
DROPped on the rules. Being DROP the default action, everything will be
dropped, except explicitely ACCEPTed by your rules.

     Which one fullfit you demands ? So that's the right one for you !
No one can tell you, giving only the information you wrote, that DROP or ACCEPT is right or wrong. There's really no right or wrong here, there's
what fullfilts your demands/needs and what doesnt.

Thanks for the reply, Leonardo. I'm not asking someone else to tell me what is the right thing to do. What I'm wondering is what kind of damage someone else on the network could use a machine with a permissive forwarding policy
to do. Spoofing obviously, but anything else?

With that better understanding, I'll be equipped to make that call.

In the larger context, the fact that several popular Linux distributions come configured with a firewall that allows all forwarding, all incoming
connections and all outgoing connections is somewhat surprising.

That "all incoming connections" surprises me to. But then you are asking about FORWARD not INPUT.


Like you surmised earlier the implications for the client hosts is the same as if your forwarding host was not there at all.

IMHO, a permissive rule is warranted but you can do somewhat better than the black and white situation of accept all. Your host is in the position to set a few basic security policies for specific ports and services (eg FINGER, Windows RPC perhapse) and definitely block bogon traffic.

Amos
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux