Re: home firewall philosophy govering outgoing traffic
At 05:03 AM 6/15/01 , Bryan Walton wrote:
>2) More to the point, Ziegler suggests setting the input, output, and
>forward default policies to DENY and then decide what to allow through. It
>has dawned on me that I can make my rules MUCH simpler by setting the output
>chain's default policy to ACCEPT and remove all of the output rules from
>the script since philosophically I don't have any interest or
>desire to limit what my family members do on the net. As long as I
>filter out incoming traffic that I deem dangerous, is there anything to fear
>from having the output default policy set to ACCEPT? Or am I missing
When I set up a similar system at my home I relied on recommendations from a document
which recommended a strong ruleset based on DENY/REJECT in the output chain.
As I learned over time I realized that ACCEPT was the better policy. Several previously
blocked services are now accessible, and now I specifically DENY only certain outputs
(X ports, SMB) as precautions, and allow everything to pass between the computers on
the home LAN.
My only other concern was Internet filtering for the kids, which I solve by disallowing forwarding
when neither of us can supervise (echo "0" > /proc/sys/net/ipv4/ip_forward) rather
than setting any rules in the firewall.
Jeffrey B. Green Personal Computer Consultant - Las Vegas, Nevada
http://jbgreen.com Networking Las Vegas Since 1986