Re: firewall conceptual question
On Sun, Jul 22, 2001 at 01:33:11PM -0500, Matthew Garman wrote:
You might want to drop certain packages before going through the whole
list, just to optimize packets traveling through netfilter a bit. Also you
might have bit different drop-chains, default that doens't log and some
other chain that also logs.
And you might want to first drop one or few IPs from a network block
and after that allow larger network, including just those few IPs.
Just to mention few reasons, so it doesn't have to be redundant but can
be inevitable not that we would even in theory want to avoid these
situation, it's perfectly normal.
> In most documents I've read about building a firewall, most say the
> general procedure is to deny any kind of traffic to your machine, then
> explicity allow only what is needed.
> So, with iptables, this translates to flushing all the chains, setting all
> default policies to DROP, then adding a few ACCEPT conditions.
> This makes sense to me, but in a lot of example firewalls I've seen
> floating around the 'net, they have explicit DROP rules (in addition to
> setting the default policy to DROP). This seems redundant to me---if you
> DROP everything by default, why would you need to explicity set even more
> DROP rules?
> Without citing an example, does anyone know what I'm talking about? Can
> anyone elaborate on this?