netfilter firewalling problems and solutions

ken_i_m at elegantinnovations.net ken_i_m at elegantinnovations.net
Fri Feb 20 18:19:59 PST 2004


On Thu, Feb 19, 2004 at 11:48:50PM -0500, Archaic (archaic at indy.rr.com) wrote:
> > Netfilter can see everything dhcpd does.
> 
> You sure about that? IIRC dhclient, unlike other clients, uses a raw
> socket. At least the last time I used it it did. iptables couldn't
> filter it because it didn't see it.

I made "no comment" in my earlier reply because dhcp is not used on any 
networks I have anything to do with (simply because there is no need). 
If the above behavior is true then I no longer see any justification for 
its use at all.

> Yeah, but spend too much time trying to minimize the number of rules
> that will match each packet and I would fear something getting missed.

Deny all by default.

After that there is no fear.  Fear (an emotion) has no place in firewall 
(or security in general) design.  If you miss something it will be 
immediately obvious because something will not work.

P.S.
An unrelated issue has come up that has to be solved "now".  So, my 
netfilter work is momentarily delayed.  I will try to keep up my reading
here.
-- 
I think, therefore, ken_i_m
Chief Gadgeteer, Elegant Innovations
Founder, Bozeman Linux Users Group
(406) 581-0495



More information about the hlfs-dev mailing list