Genes MailLists wrote: > On 08/17/2010 02:08 AM, Tom H wrote: > #! /bin/sh >> IPTABLES="/sbin/iptables" >> $IPTABLES --table filter --policy INPUT ACCEPT >> $IPTABLES --table filter --policy FORWARD ACCEPT >> $IPTABLES --table filter --policy OUTPUT ACCEPT > > > Not saying I'm commenting on the wisdom of the rules one way or > another - just asking - Does one really want default policy of accept on > all of these ? > The answer is for a desktop they are adequate, for a firewall absolutely not. I boot my firewall and setup using bash scripts to change anything. My firewal config tool is vi. And none of my policies is permissive, open policies follow the 'anything not forbidden is allowed' rule, while my choice is 'anything not explicitly permitted is forbidden.'
I also use the log facility heavily on a firewall, to catch attacks. I log to a debug file and check it regularly from a perl script. -- Bill Davidsen <david...@tmr.com> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
