Just curious the reasons for not using default 'policy', but preferring 'back stop' rules in SuSEpersonal-firewall. Can anyone explain the reasons?
Initial impression, would be that setting a policy of DENY on INPUT would be more secure. The usage is commented on, but not explained which makes me curious!
:-) That's very simple: The SuSEpersonal-firewall actually lets more packets pass than it drops/rejects. The main rule is the one where TCP SYN packets get rejected. Everything else ist just featurism. By consequence, a changed default policy would require to list all options where a packet is allowed to pass. I judged the way to solve it by the number of rules I'd have to add to the filter. Second reason: The personal-firewall does not touch any rule in the existing ruleset. All rules can be safely removed by the script because they use a "private" namespace, eg. other chains (rulchain, devchain, maschain) to match against the criteria. This way, masquerading can be turned on with just one variable without breaking anything.
Rob
Thanks,
Roman.
--
- -
| Roman Drahtmüller