firewall conceptual question

To: Netfilter <netfilter@lists.samba.org>, Debian Firewall List <debian-firewall@lists.debian.org>
Subject: firewall conceptual question
From: Matthew Garman <garman@uiuc.edu>
Date: Sun, 22 Jul 2001 13:33:11 -0500
Message-id: <[🔎] 20010722133311.A22904@uiuc.edu>
Mail-followup-to: Matthew Garman <garman@[207.144.202.170]>, Netfilter <netfilter@lists.samba.org>, Debian Firewall List <debian-firewall@lists.debian.org>
Reply-to: Matt Garman <garman@uiuc.edu>

In most documents I've read about building a firewall, most say the
general procedure is to deny any kind of traffic to your machine, then
explicity allow only what is needed.

So, with iptables, this translates to flushing all the chains, setting all
default policies to DROP, then adding a few ACCEPT conditions.

This makes sense to me, but in a lot of example firewalls I've seen
floating around the 'net, they have explicit DROP rules (in addition to
setting the default policy to DROP).  This seems redundant to me---if you
DROP everything by default, why would you need to explicity set even more
DROP rules?

Without citing an example, does anyone know what I'm talking about?  Can
anyone elaborate on this?

Thanks,
Matt

-- 
Matt Garman, garman@uiuc.edu
"I'll tip my hat to the new constitution, Take a bow for the new revolution
 Smile and grin at the change all around, Pick up my guitar and play
 Just like yesterday, Then I'll get on my knees and pray..."
            -- Pete Townshend/The Who, "Won't Get Fooled Again"

Reply to:

Follow-Ups:
- Re: firewall conceptual question
  - From: Jörgen Johansson <juggej@telia.com>
- Re: firewall conceptual question
  - From: Saku Ytti <saku-debian-firewall@ytti.fi>
- Re: firewall conceptual question
  - From: Søren Hansen <sh@freesite.dk>

Prev by Date: help building nat/firewall script
Next by Date: can't ping local 'net, even with no firewall
Previous by thread: help building nat/firewall script
Next by thread: Re: firewall conceptual question
Index(es):
- Date
- Thread