[997] in linux-security and linux-alert archive
Re: [linux-security] Suggestion for Linux default fw policy
daemon@ATHENA.MIT.EDU (Alan Cox)
Mon Aug 12 18:50:22 1996
From: alan@lxorguk.ukuu.org.uk (Alan Cox)
To: graemee@tplrd.tpl.oz.au (Graeme Elsworthy)
Date: Sun, 11 Aug 1996 21:42:29 +0100 (BST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <9608090742.AA18646@sydrd15> from "Graeme Elsworthy" at Aug 9, 96 05:41:19 pm
> default policy in Linux 2.0. I mean the default policy immediately
> after an interface is ifconfig'ed. In net/ipv4/ip_fw.c line 153
> (2.0.10, not sure other patch levels) there are three assignments,
> one for each of the in, out and forward directions, of IP_FW_F_ACCEPT.
Correct
> I suggest that anybody using Linux as part of a firewall, like as a
> filtering router or bastion host, should change these assignments to 0,
> thus changing the default policy to "deny".
Not required
> Why? Because for the time between an interface being ifconfig'ed and
> the filtering rules being set the interface is set to "accept" all and
> every packet. This is not good. Especially if, as in my case, a reboot
> freezes between the ifconfig and the setting of the filtering rules - the
> interface is up and forwarding all packets, not filtering packets as
> needed, and nothing but manual intervention could fix it.
>
> Any comments?
You can change the policy (and should do) before you configure the interfaces.
You can also add all but interface specific rules before ifconfig as well.
Alan
[Mod: Most of this information has already gone out to linux-security,
but I approved this due to Alan's pointing out the detail regarding
interface-specific rules. --Jeff.]