Iptables initialization

ken_i_m at elegantinnovations.net ken_i_m at elegantinnovations.net
Thu Feb 12 21:40:28 PST 2004


On Thu, Feb 12, 2004 at 11:00:31PM -0500, Robert Connolly (cendres at videotron.ca) wrote:
> On February 12, 2004 05:54 pm, Dagmar d'Surreal wrote:
> > PRINCIPLE OF LEAST PRIVILEGE: That which is not explicitly allowed, is
> > automatically denied.
> 
> This is much easier said then done.

Allow me to rephrase that in a positive, proactive framework.  It is 
relatively easy to lock a box down.  It is opening a single function 
without inadvertantly opening something else that can pose difficulty.
(On second thought, the phrasing may be just personal taste.)

> protocols they know about. Much more than tcpip can pass threw ethernet or 
> dsl cable from someone on the same physical network (your isp). I don't know 
> much about iptables or how many protocols it filters, but a default deny 
> policy would have to include arp, ipx, and misc protocols that can travel on 
> a lan. I don't know if there is a way to block unknown protocols...

ebtables filters at the ethernet protocol level
I think maybe the common usage "iptables" may throw some off a bit.  The 
proper name is netfilter and it does more than just ip.
-- 
I think, therefore, ken_i_m
Chief Gadgeteer, Elegant Innovations
Founder, Bozeman Linux Users Group
(406) 581-0495



More information about the hlfs-dev mailing list