[993] in linux-security and linux-alert archive
[linux-security] Suggestion for Linux default fw policy
daemon@ATHENA.MIT.EDU (Graeme Elsworthy)
Fri Aug 9 12:13:40 1996
To: linux-security@tarsier.cv.nrao.edu
Date: Fri, 09 Aug 1996 17:41:19 +1000
From: Graeme Elsworthy <graemee@tplrd.tpl.oz.au>
Hi all,
I've been bitten by what I consider to be a problem with the
default policy in Linux 2.0. I mean the default policy immediately
after an interface is ifconfig'ed. In net/ipv4/ip_fw.c line 153
(2.0.10, not sure other patch levels) there are three assignments,
one for each of the in, out and forward directions, of IP_FW_F_ACCEPT.
I suggest that anybody using Linux as part of a firewall, like as a
filtering router or bastion host, should change these assignments to 0,
thus changing the default policy to "deny".
Why? Because for the time between an interface being ifconfig'ed and
the filtering rules being set the interface is set to "accept" all and
every packet. This is not good. Especially if, as in my case, a reboot
freezes between the ifconfig and the setting of the filtering rules - the
interface is up and forwarding all packets, not filtering packets as
needed, and nothing but manual intervention could fix it.
Any comments?
Cheers,
Graeme.
Graeme Elsworthy, Systems Manager __________T_e_l_e_c_t_r_o_n_i_c_s__|/\
__
Telectronics Pacing Systems Pacing Systems \/
7 Sirius Rd, Lane Cove, NSW 2066, Australia
Tel: +61 2 9413 6888 Fax: +61 2 9413 6060 Email:
graemee@tplrd.tpl.oz.au