iptables SECURITY - default settings
Jack Bowling
jbinpg at shaw.ca
Thu Sep 16 23:36:48 UTC 2004
On Thu, Sep 09, 2004 at 11:34:29PM +0200, Alexander Dalloz wrote:
> Am Do, den 09.09.2004 schrieb Wal um 23:04:
>
> > I am suggesting a more secure default setting-
>
> > -I SecLev505-INPUT -p all -j DROP
>
> > Alternately (with possible issue when rules actually get applied)-
>
> > -A SecLev505-INPUT -p all -j DROP
>
> I would heavily dislike a default DROP rule setup with iptables. There
> is a long discussion about DROP versus REJECT in the firewall forums,
> and I follow the arguments for REJECTing. One reason which affects users
> of Fedora: a DROP policy / default rule makes it much harder for anyone
> and especially less experienced users to down track problems cause by
> firewalling with no real gain on the other side. It is and stays a myth
> that DROPing pakets makes a system invisible for attackers (buzzword
> "stealth mode" in PFW products). For the majority of users a feedback in
> form of an ICMP port unreachable is most useful.
Your argument in favor of REJECT falls apart in a DDoS situation. Having
the kernel drop packets rather than fire off REJECT messages in response to
every packet is much more efficient.
--
Jack Bowling
mailto: jbinpg at shaw.ca
More information about the fedora-test-list
mailing list