Conceptual Change in IP Filtering

Andi Kleen ak@suse.de
Mon, 31 Jan 2000 15:58:21 +0100 

On Mon, Jan 31, 2000 at 03:46:24PM +0100, Aaron Optimizer Digulla wrote:
> > 
> > You can short cut without problem by e.g. just specifying a ACCEPT
> > default policy on the output rules.  That is the default setting BTW..
> > Similar for forward and input. 
> 
> Well, isn't a firewall with DENY as default more secure ?

More secure and more complicated to configure.
If you want easy configuration go the "only deny what is known dangerous"
route. If you want paranoid filtering you go the "deny by default 
and only enabled what is needed" route, but you should then know
what you are doing.

> And that's exactly my point: Most people, who have to setup a firewall against
> the Common Script Kiddy (I guess most setups will not hold against a well
> planned attempt to break it) do not know such things (and the docs don't tell
> them). So what is the difference between:

The right way to quickly secure a host against the average script kiddie
is just to block all ports that are known to be problematic (IMAP, POP,
SMTP except to the mail server, etc.)

> 
>     $cmd -allow any any ftp ftp
> 
> ($cmd is the command to setup the firewall) and
> 
>     $cmd input -y -i <ext.iface> -d ftp ftp
>     $cmd forward -y -i <int.iface> -d ftp ftp
>     $cmd output -y -i <int.iface> -d ftp ftp
>     $cmd input ! -y -i <int.iface> -s ftp ftp
>     $cmd forward ! -y -i <ext.iface> -s ftp ftp
>     $cmd output ! -y -i <ext.iface> -s ftp ftp
> 
> ???  The entries in the routing table already contain this information, so
> having to write them a second time in the IPFW-setup-script means to duplicate
> information. Also, the above command knows if it is more safe to have DENY or
> ACCEPT defaults (which most FW admins probably don't know for sure; this is
> based on the idea that some things are either more safe, more insecure or
> depend and that we can safely put the "more secure" knowledge into a script).

Because you forbit that before. If you set the default to DENY for
input/forward/output you told the firewall code "Only process a packet
when I explicitely allow it". Now you're complaining because the
packet filter is just fullfiling your wishes? 


-Andi