Re: nft newbie

To: debian-user@lists.debian.org
Subject: Re: nft newbie
From: Anssi Saari <as@sci.fi>
Date: Tue, 12 Jul 2022 15:13:29 +0300
Message-id: <[🔎] sm08royleae.fsf@lakka.kapsi.fi>
Mail-followup-to: debian-user@lists.debian.org
References: <[🔎] d47bc2b6-cc49-6d08-d422-3495f3a59028@shentel.net> <[🔎] YsYmBc2GwEcsWr5X@eskimo.com> <[🔎] CAFMGiz-YLj4=RoAg62j98J9Wdzc0eRVbVEj5OECY4w1iKHoZBQ@mail.gmail.com> <[🔎] 2ad1777d-17c7-f114-a976-a2bec857c29c@shentel.net> <[🔎] 3d2d2857-875c-4636-b102-a94f4c1a4121@www.fastmail.com> <[🔎] 83c9d108-51c8-4e17-a565-61ad041b9651@www.fastmail.com> <[🔎] alpine.DEB.2.20.2207091100050.16633@maria.rogerprice.org> <[🔎] bec39705-8557-4b35-9ee2-08da5d22fef1@www.fastmail.com> <[🔎] a43601d6-03af-4298-ac3e-2664fbf2051a@www.fastmail.com> <[🔎] CAF358wRErEpOFNU5V6qim3RT8RNCG-aSgXOm287Yp9Qjb+4Leg@mail.gmail.com> <[🔎] 10854bda-f43c-4bf5-87cf-2a7f52fc1361@www.fastmail.com>

"Gareth Evans" <donotspam@fastmail.fm> writes:

> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies <maxiestudies@gmail.com> wrote:
>
>> drop and reject are not equivalent.
>
> Fair enough
>
> [...]
>> In most cases it's a best practice to configure all chains with
>> _policy drop_ and then add rules for the traffic that you want to
>> allow 
>
> All the nftables and PF howtos I have found take this approach.
>
> Why is it best practice?  Is there any security advantage over rejection?  

Not really, to me using DROP is a simplistic view not based in reality.

https://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
covers the pros and cons reasonably with this conclusion:

"DROP offers no effective barrier to hostile forces but can dramatically
slow down applications run by legitimate users. DROP should not normally
be used."

Reply to:

Follow-Ups:
- Re: nft newbie
  - From: Maximiliano Estudies <maxiestudies@gmail.com>

References:
- nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: Will Mengarini <seldon@eskimo.com>
- Re: nft newbie
  - From: Tom Browder <tom.browder@gmail.com>
- Re: nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Roger Price <debian@rogerprice.org>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Maximiliano Estudies <maxiestudies@gmail.com>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>

Prev by Date: Re: avahi-daemon allow/deny interfaces question
Next by Date: Re: nft newbie
Previous by thread: Re: nft newbie
Next by thread: Re: nft newbie
Index(es):
- Date
- Thread