[997] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Suggestion for Linux default fw policy

daemon@ATHENA.MIT.EDU (Alan Cox)
Mon Aug 12 18:50:22 1996

From: alan@lxorguk.ukuu.org.uk (Alan Cox)
To: graemee@tplrd.tpl.oz.au (Graeme Elsworthy)
Date: Sun, 11 Aug 1996 21:42:29 +0100 (BST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <9608090742.AA18646@sydrd15> from "Graeme Elsworthy" at Aug 9, 96 05:41:19 pm

> default policy in Linux 2.0.  I mean the default policy immediately
> after an interface is ifconfig'ed.  In net/ipv4/ip_fw.c line 153
> (2.0.10, not sure other patch levels) there are three assignments,
> one for each of the in, out and forward directions, of IP_FW_F_ACCEPT.

Correct

> I suggest that anybody using Linux as part of a firewall, like as a
> filtering router or bastion host, should change these assignments to 0,
> thus changing the default policy to "deny".

Not required

> Why?  Because for the time between an interface being ifconfig'ed and
> the filtering rules being set the interface is set to "accept" all and
> every packet.  This is not good.  Especially if, as in my case, a reboot
> freezes between the ifconfig and the setting of the filtering rules - the
> interface is up and forwarding all packets, not filtering packets as
> needed, and nothing but manual intervention could fix it.
> 
> Any comments?

You can change the policy (and should do) before you configure the interfaces.
You can also add all but interface specific rules before ifconfig as well.

Alan

[Mod: Most of this information has already gone out to linux-security,
but I approved this due to Alan's pointing out the detail regarding
interface-specific rules.  --Jeff.]

home help back first fref pref prev next nref lref last post