Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEpersonal-firewall - Reason for not using a default policy for INPUT
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Tue, 22 Jan 2002 03:22:47 +0100 (MET)
  • Message-id: <Pine.LNX.4.44.0201220317590.4470-100000@xxxxxxxxxxxx>
> Just curious the reasons for not using default 'policy', but preferring 'back
> stop' rules in SuSEpersonal-firewall. Can anyone explain the reasons?
> Initial impression, would be that setting a policy of DENY on INPUT would be
> more secure. The usage is commented on, but not explained which makes me
> curious!

:-) That's very simple: The SuSEpersonal-firewall actually lets more
packets pass than it drops/rejects. The main rule is the one where TCP SYN
packets get rejected. Everything else ist just featurism. By consequence,
a changed default policy would require to list all options where a packet
is allowed to pass. I judged the way to solve it by the number of rules
I'd have to add to the filter.

Second reason: The personal-firewall does not touch any rule in the
existing ruleset. All rules can be safely removed by the script because
they use a "private" namespace, eg. other chains (rulchain, devchain,
maschain) to match against the criteria. This way, masquerading can be
turned on with just one variable without breaking anything.

> Rob

- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

< Previous Next >
Follow Ups