Re: Why not have firewall rules by default?

To: debian-security@lists.debian.org
Subject: Re: Why not have firewall rules by default?
From: Vincent Deffontaines <vincent@gryzor.com>
Date: Wed, 23 Jan 2008 19:11:19 +0100
Message-id: <[🔎] 47978347.3000509@gryzor.com>
In-reply-to: <[🔎] 8A0AA67A76C9E2B8277B2F98@ZOP-MACTEL-2.local>
References: <[🔎] 47975AE5.80801@gmail.com> <[🔎] 8A0AA67A76C9E2B8277B2F98@ZOP-MACTEL-2.local>

Michael Loftis wrote:
[snip]

It's better to leave the service disabled, or even better, completelyuninstalled from a security standpoint, and from a DoS standpoint aswell. The Linux kernel isn't very efficient at processing firewallrules. Newer kernels might be though (I honestly haven't looked asdeeply into this in late 2.6 as i did/do in 2.4...2.4 processesfirewall rules strictly step by step)

The processing of Netfilter rules has not fundamentally changed from 2.4to 2.6.However, there is a way to load rules in a monilithic way, by usingiptables-restore, in placeof calling "iptables" multiple times. (IIRC, at some point in the past,debian used that to save

rules at system shutdown and reload them at boot, but I may be wrong).

Vincent

Reply to:

References:
- Why not have firewall rules by default?
  - From: William Twomey <william.twomey@gmail.com>
- Re: Why not have firewall rules by default?
  - From: Michael Loftis <mloftis@modwest.com>

Prev by Date: Re: Why not have firewall rules by default?
Next by Date: Re: Why not have firewall rules by default?
Previous by thread: Re: Why not have firewall rules by default?
Next by thread: Re: Why not have firewall rules by default?
Index(es):
- Date
- Thread