Iptables initialization

Robert Connolly cendres at videotron.ca
Sat Feb 14 09:05:06 PST 2004


On February 14, 2004 11:47 am, Dagmar d'Surreal wrote:
> Okay, for those who are going to assume my tone to be hostile in this
> email.  Try to rememeber to breathe.  I am not hostile, I am factual,
> and reality itself is merciless.
>
> On Thu, 2004-02-12 at 22:00, Robert Connolly wrote:
> > On February 12, 2004 05:54 pm, Dagmar d'Surreal wrote:
> > > PRINCIPLE OF LEAST PRIVILEGE: That which is not explicitly allowed, is
> > > automatically denied.
> >
> > This is much easier said then done. Firewalls, and rbac too, can only
> > filter protocols they know about. Much more than tcpip can pass threw
> > ethernet or dsl cable from someone on the same physical network (your
> > isp). I don't know much about iptables or how many protocols it filters,
> > but a default deny policy would have to include arp, ipx, and misc
> > protocols that can travel on a lan. I don't know if there is a way to
> > block unknown protocols...
>
> No.  This is wrong thinking.  Firewalls and access lists do not filter
> things that they don't know about--they deny them by fiat.  Remember the
> Principle of Least Privilege.  Having a machine route IPX packets
> without being able to filter them is a vulnerability, and in practice
> you generally don't want IPX crossing firewall boundaries at all
> anyway.  ARP is _not about_ to pass through a router since it would be
> nearly useless to do so, and the misc protocols you mention in my
> experience generally amount to IPSEC and VoIP which _are_ filterable.

A software bridge will pass arp strait threw unless the firewall knows what 
arp is. Same should be true for many protocols. In the case of selinux, it 
doesn't know what ipv6 is (at least this used to be true), so it ignores it 
and lets ipv6 do whatever it wants. Unknown protocols tend to be passed by 
default.




More information about the hlfs-dev mailing list