Re: nft newbie

On 2022-07-12 10:33, Gareth Evans wrote:

On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies

In most cases it's a best practice to configure all chains with
_policy drop_ and then add rules for the traffic that you want to
allow


All the nftables and PF howtos I have found take this approach.

Why is it best practice? Is there any security advantage overrejection?

I think it is just that 'reject' tells the remote system there issomething listening.

mick

Reply to:

Follow-Ups:
- Re: nft newbie
  - From: Gareth Evans <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Henning Follmann <hfollmann@itcfollmann.com>

References:
- nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: Will Mengarini <seldon@eskimo.com>
- Re: nft newbie
  - From: Tom Browder <tom.browder@gmail.com>
- Re: nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Roger Price <debian@rogerprice.org>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Maximiliano Estudies <maxiestudies@gmail.com>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>