[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP Forwarding to Windows machine

On Sun, 10 Aug 2014 16:07:01 -0400
Tom H <tomh0665@gmail.com> wrote:

> On Sun, Aug 10, 2014 at 2:24 PM, Nemeth Gyorgy <friczy@freemail.hu>
> wrote:
> > 2014-08-10 11:33 keltezéssel, Pascal Hambourg írta:
> >>
> >> Nemeth Gyorgy's ruleset is too complicated. Use the bare minimum :
> >>
> >> sysctl -w net.ipv4.ip_forward=1
> >> iptables -t nat -P ACCEPT
> >> iptables -t filter -P ACCEPT
> >
> > This is really a big sechole.
> 
> This is one of these hopelessly unresolvable issues where some people
> believe that the correct config is to have policy DROP/REJECT and
> others believe that the correct config is to have a policy of ACCEPT
> and to have the final rule in the respective chains be DROP/REJECT..
> 
> 

Why is it unresolvable? A DROP/REJECT policy is fail-safe, ACCEPT
isn't. If the rest of the rules are correct, (and more importantly,
guaranteed always to stay that way in the face of editing, sometimes
rushed) an ACCEPT policy is redundant, and if they're not, it's
dangerous. You will never *ever* want that ACCEPT policy rule to be
traversed.

But it greatly simplifies matters during a short go-nogo test, during
which the probability of an attack is quite small. And here's another
reason that the Internet connection should be farmed out to a dedicated
device containing at least a simple stateful packet filter, so that
experimentation with the main firewall carries little risk.

-- 
Joe
Reply to: