Re: nft newbie

To: debian-user Mailing List <debian-user@lists.debian.org>
Subject: Re: nft newbie
From: Maximiliano Estudies <maxiestudies@gmail.com>
Date: Tue, 12 Jul 2022 14:31:21 +0200
Message-id: <[🔎] CAF358wS0QOjCGZ5M8mx_3Easgvn80Y9WeyKEyT-ExCs6ajeOKQ@mail.gmail.com>
In-reply-to: <[🔎] sm08royleae.fsf@lakka.kapsi.fi>
References: <[🔎] d47bc2b6-cc49-6d08-d422-3495f3a59028@shentel.net> <[🔎] YsYmBc2GwEcsWr5X@eskimo.com> <[🔎] CAFMGiz-YLj4=RoAg62j98J9Wdzc0eRVbVEj5OECY4w1iKHoZBQ@mail.gmail.com> <[🔎] 2ad1777d-17c7-f114-a976-a2bec857c29c@shentel.net> <[🔎] 3d2d2857-875c-4636-b102-a94f4c1a4121@www.fastmail.com> <[🔎] 83c9d108-51c8-4e17-a565-61ad041b9651@www.fastmail.com> <[🔎] alpine.DEB.2.20.2207091100050.16633@maria.rogerprice.org> <[🔎] bec39705-8557-4b35-9ee2-08da5d22fef1@www.fastmail.com> <[🔎] a43601d6-03af-4298-ac3e-2664fbf2051a@www.fastmail.com> <[🔎] CAF358wRErEpOFNU5V6qim3RT8RNCG-aSgXOm287Yp9Qjb+4Leg@mail.gmail.com> <[🔎] 10854bda-f43c-4bf5-87cf-2a7f52fc1361@www.fastmail.com> <[🔎] sm08royleae.fsf@lakka.kapsi.fi>

El mar, 12 jul 2022 a las 14:13, Anssi Saari (<as@sci.fi>) escribió:
>
> "Gareth Evans" <donotspam@fastmail.fm> writes:
>
> > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies <maxiestudies@gmail.com> wrote:
> >
> >> drop and reject are not equivalent.
> >
> > Fair enough
> >
> > [...]
> >> In most cases it's a best practice to configure all chains with
> >> _policy drop_ and then add rules for the traffic that you want to
> >> allow
> >
> > All the nftables and PF howtos I have found take this approach.
> >
> > Why is it best practice?  Is there any security advantage over rejection?
>
> Not really, to me using DROP is a simplistic view not based in reality.
>
> https://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
> covers the pros and cons reasonably with this conclusion:
>
> "DROP offers no effective barrier to hostile forces but can dramatically
> slow down applications run by legitimate users. DROP should not normally
> be used."
>

nft only allows for two possible default policies, DROP or ACCEPT,
thus it isn't possible to configure a chain with default REJECT. Thus
my suggestion to configure default drop (just in case) and a
"catch-all" reject at the bottom of the chain.

Reply to:

References:
- nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: Will Mengarini <seldon@eskimo.com>
- Re: nft newbie
  - From: Tom Browder <tom.browder@gmail.com>
- Re: nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Roger Price <debian@rogerprice.org>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Maximiliano Estudies <maxiestudies@gmail.com>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Anssi Saari <as@sci.fi>

Prev by Date: Re: nft newbie
Next by Date: Re: Debian 11: How to disable IPv6
Previous by thread: Re: nft newbie
Next by thread: Re: nft newbie
Index(es):
- Date
- Thread