On 2014-02-19 09:02, Mark Fox wrote:
Leonardo Rodrigues writes:
There's no right or wrong on how your FORWARD default rule should
be. Being DROP or ACCEPT depends on your network security policies.
Being ACCEPT the default action for FORWARD, your linux router
will
forward anything from one side to the other, unless it's explicity
DROPped on the rules. Being DROP the default action, everything will
be
dropped, except explicitely ACCEPTed by your rules.
Which one fullfit you demands ? So that's the right one for you !
No one can tell you, giving only the information you wrote, that DROP
or
ACCEPT is right or wrong. There's really no right or wrong here,
there's
what fullfilts your demands/needs and what doesnt.
Thanks for the reply, Leonardo. I'm not asking someone else to tell me
what
is the right thing to do. What I'm wondering is what kind of damage
someone
else on the network could use a machine with a permissive forwarding
policy
to do. Spoofing obviously, but anything else?
With that better understanding, I'll be equipped to make that call.
In the larger context, the fact that several popular Linux
distributions
come configured with a firewall that allows all forwarding, all
incoming
connections and all outgoing connections is somewhat surprising.
That "all incoming connections" surprises me to. But then you are asking
about FORWARD not INPUT.
Like you surmised earlier the implications for the client hosts is the
same as if your forwarding host was not there at all.
IMHO, a permissive rule is warranted but you can do somewhat better than
the black and white situation of accept all. Your host is in the
position to set a few basic security policies for specific ports and
services (eg FINGER, Windows RPC perhapse) and definitely block bogon
traffic.
Amos
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
