[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP Forwarding to Windows machine

2014-08-10 22:30 keltezéssel, Joe írta:
> Why is it unresolvable? A DROP/REJECT policy is fail-safe, ACCEPT
> isn't. If the rest of the rules are correct, (and more importantly,
> guaranteed always to stay that way in the face of editing, sometimes
> rushed) an ACCEPT policy is redundant, and if they're not, it's
> dangerous. You will never *ever* want that ACCEPT policy rule to be
> traversed.
> 
> But it greatly simplifies matters during a short go-nogo test, during
> which the probability of an attack is quite small. And here's another
> reason that the Internet connection should be farmed out to a dedicated
> device containing at least a simple stateful packet filter, so that
> experimentation with the main firewall carries little risk.
> 
Yes, it can work as a short go-nogo test. But the suggestion was not
mentioned it, that it is only for that. And it is very likely that when
the OP tries this and it 'works' (I mean the Windows machine behind the
Linux works well), then the rules will remain. And - as the Linux server
can have a lot of services - it will leave a lot of secholes to the world.

So I wouldn't suggest such situation, in my opinion the minimum policy
should be still safe (at least a bit). So default policy for nat and
mangle can be ACCEPT without too much risk, but on filter table set
ACCEPT to OUTPUT chain and set DROP for INPUT and FORWARD and
explicitely allow what you want. This should be the minimum security
level for a home firewall.

-- 
--- Friczy ---
'Death is not a bug, it's a feature'
Reply to: