Re: why is DENY not enough?

To: debian-firewall@lists.debian.org
Subject: Re: why is DENY not enough?
From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
Date: Tue, 20 Jul 2004 11:38:14 -0600
Message-id: <[🔎] 20040720173814.GN9485@cerberus>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 037b01c46e7e$364458c0$3c01a8c0@tftpd>
References: <[🔎] 037b01c46e7e$364458c0$3c01a8c0@tftpd>

On Tue, Jul 20, 2004 at 01:22:41PM -0400, Steve Melo wrote:
> 
> I'm sure that my question has a simple answer, but only recently have
> I begun to play with iptables.  Can anyone please describe why it is
> necessary to specifically block each known attack.  From what I have
> read a default INPUT policy of DENY should drop anything that was not
> specifically allowed.  Almost all the firewall scripts I have seen so
> far include these extra rules, but I can't wrap my head around it.

One reason may be if the explicit rules are there and the default policy
is changed (for whatever reason) then they are still blocked.  Think
multiple layers of defense.  Another may be that they want to silent
block those attacks and have a logging rule just before the packet would
be handed to the default policy.

-- 
Jamin W. Collins

"Never underestimate the power of very stupid people in large groups."
-- John Kenneth Galbraith

Reply to:

References:
- why is DENY not enough?
  - From: "Steve Melo" <smelo@communitytrust.ca>

Prev by Date: why is DENY not enough?
Next by Date: Re: why is DENY not enough?
Previous by thread: why is DENY not enough?
Next by thread: Re: why is DENY not enough?
Index(es):
- Date
- Thread