On Sun, 10 Aug 2014 16:07:01 -0400 Tom H <tomh0...@gmail.com> wrote: > On Sun, Aug 10, 2014 at 2:24 PM, Nemeth Gyorgy <fri...@freemail.hu> > wrote: > > 2014-08-10 11:33 keltezéssel, Pascal Hambourg írta: > >> > >> Nemeth Gyorgy's ruleset is too complicated. Use the bare minimum : > >> > >> sysctl -w net.ipv4.ip_forward=1 > >> iptables -t nat -P ACCEPT > >> iptables -t filter -P ACCEPT > > > > This is really a big sechole. > > This is one of these hopelessly unresolvable issues where some people > believe that the correct config is to have policy DROP/REJECT and > others believe that the correct config is to have a policy of ACCEPT > and to have the final rule in the respective chains be DROP/REJECT.. > >
Why is it unresolvable? A DROP/REJECT policy is fail-safe, ACCEPT isn't. If the rest of the rules are correct, (and more importantly, guaranteed always to stay that way in the face of editing, sometimes rushed) an ACCEPT policy is redundant, and if they're not, it's dangerous. You will never *ever* want that ACCEPT policy rule to be traversed. But it greatly simplifies matters during a short go-nogo test, during which the probability of an attack is quite small. And here's another reason that the Internet connection should be farmed out to a dedicated device containing at least a simple stateful packet filter, so that experimentation with the main firewall carries little risk. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140810213030.1e3a3...@jretrading.com
