[993] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Suggestion for Linux default fw policy

daemon@ATHENA.MIT.EDU (Graeme Elsworthy)
Fri Aug 9 12:13:40 1996

To: linux-security@tarsier.cv.nrao.edu
Date: Fri, 09 Aug 1996 17:41:19 +1000
From: Graeme Elsworthy <graemee@tplrd.tpl.oz.au>

Hi all,

I've been bitten by what I consider to be a problem with the
default policy in Linux 2.0.  I mean the default policy immediately
after an interface is ifconfig'ed.  In net/ipv4/ip_fw.c line 153
(2.0.10, not sure other patch levels) there are three assignments,
one for each of the in, out and forward directions, of IP_FW_F_ACCEPT.

I suggest that anybody using Linux as part of a firewall, like as a
filtering router or bastion host, should change these assignments to 0,
thus changing the default policy to "deny".

Why?  Because for the time between an interface being ifconfig'ed and
the filtering rules being set the interface is set to "accept" all and
every packet.  This is not good.  Especially if, as in my case, a reboot
freezes between the ifconfig and the setting of the filtering rules - the
interface is up and forwarding all packets, not filtering packets as
needed, and nothing but manual intervention could fix it.

Any comments?

Cheers,
Graeme.


Graeme Elsworthy,  Systems Manager __________T_e_l_e_c_t_r_o_n_i_c_s__|/\ 
__
   Telectronics Pacing Systems                        Pacing Systems     \/
   7 Sirius Rd, Lane Cove, NSW 2066, Australia
   Tel: +61 2 9413 6888  Fax: +61 2 9413 6060  Email:
graemee@tplrd.tpl.oz.au

home help back first fref pref prev next nref lref last post