Iptables initialization

Robert Connolly cendres at videotron.ca
Thu Feb 12 20:00:31 PST 2004


On February 12, 2004 05:54 pm, Dagmar d'Surreal wrote:
> PRINCIPLE OF LEAST PRIVILEGE: That which is not explicitly allowed, is
> automatically denied.

This is much easier said then done. Firewalls, and rbac too, can only filter 
protocols they know about. Much more than tcpip can pass threw ethernet or 
dsl cable from someone on the same physical network (your isp). I don't know 
much about iptables or how many protocols it filters, but a default deny 
policy would have to include arp, ipx, and misc protocols that can travel on 
a lan. I don't know if there is a way to block unknown protocols...

> (With respect to a host's participation in a network, it means that the
> machine should initially respond to *no* packets whatsoever.  When a
> host is acting as a firewall, it is especially important that this be
> the case, and as to routers, it's actually documented in an RFC for
> machines acting as routers that they should have their policies in place
> before enabling any interface for routing.)

The RFC also says firewalls should reply to blocked traffic with reset 
packets, and somewhere else it says /sbin/false should have --help. The 
guildlines are not always motivated by security.

> Mind you, what folks should be thinking about is a generic method (i.e.,
> a best practice) for implementing firewalling rulesets, not a list of
> specific firewall rules that people should use.
>
> (hint: firewalling rules that won't match are a waste of CPU cycles)

As far as I know blackhole routing uses less resources than iptables, but I'm 
guessing iptables gets to filter before packets go to routing. They should 
work well together though.




More information about the hlfs-dev mailing list