On Thu, 2 Oct 2003, Jack Bowling wrote: > On Mon, Sep 29, 2003 at 01:45:52PM -0400, Parker Morse wrote: > > I'm not the best person to be asking about firewalls, but: > > > > I think you're confused about the way OUTPUT works. It acts on any > > packets sent out by your system. Unless you are concerned about how > > users of your system are going to be using it, you're creating more > > problems than you're solving by having too many rules on OUTPUT. Unlike > > INPUT, where you don't know what's coming in from outside, you're > > better off with a permissive policy (only blocking ports which cause > > trouble, instead of only opening ports you need) on OUTPUT. > > "Better off" is subjective. Having a permissive policy on the OUTPUT > chain is certainly less work for the admin. But I lock all chains down > cuz then I have to force myself to write the rules I need to get packets > out as well as in. I like knowing what my firewall is set to do rather > than take it on faith. And until my firewall was brought to its knees by 5 hosts infected with ms-blast, I didn't realize the importance of the methodology. IMO, it is a pain but a necessity. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
