[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: home firewall philosophy govering outgoing traffic

At 05:03 AM 6/15/01 , Bryan Walton wrote:
>2) More to the point, Ziegler suggests setting the input, output, and
>forward default policies to DENY and then decide what to allow through.  It
>has dawned on me that I can make my rules MUCH simpler by setting the output
>chain's default policy to ACCEPT and remove all of the output rules from 
>the script since philosophically I don't have any interest or
>desire to limit what my family members do on the net.  As long as I 
>filter out incoming traffic that I deem dangerous, is there anything to fear
>from having the output default policy set to ACCEPT?  Or am I missing
>something obvious?

When I set up a similar system at my home I relied on recommendations from a document 
which recommended a strong ruleset based on DENY/REJECT in the output chain. 
As I learned over time I realized that ACCEPT was the better policy. Several previously 
blocked services are now accessible, and now I specifically DENY only certain outputs 
(X ports, SMB) as precautions, and allow everything to pass between the computers on 
the home LAN.

My only other concern was Internet filtering for the kids, which I solve by disallowing forwarding
when neither of us can supervise (echo "0" > /proc/sys/net/ipv4/ip_forward) rather 
than setting any rules in the firewall.



Jeffrey B. Green		Personal Computer Consultant - Las Vegas, Nevada 
http://jbgreen.com		Networking Las Vegas Since 1986

Reply to: