Question about new chains

Bob Surenko Bob Surenko <surenko@fred.net>
Thu, 11 Oct 2001 11:30:52 -0400 

Daniel,

Thursday, October 11, 2001, 10:34:09 AM, you wrote:

DFAUHA> I have a question about makeing a new chain or better yet, a how to question. 

DFAUHA> THe way I understand it each packet is compared to every rule you have from 
DFAUHA> top to bottom in waht ever chain it is in unless it matches a drop or accept 
DFAUHA> then it is forwarded or what ever. 

DFAUHA> well here is my issue. I need to be able to add rules on the fly with out 
DFAUHA> reloading all the firewall rules every time. Becaus ethe very last chain in 
DFAUHA> my script is a forward all. Do to the nature of our bussiness I have to run 
DFAUHA> an accept all the deny the bad stuff versus a deny all and only open used 
DFAUHA> ports. 

I can't imagine any business need that would require you to have
accept policy on your chains. Accept policies always look easier
at first but they never are. There is nothing you can do with
accept policies that you can't do with drop policies. I suggest
you look at it again.

As to your question, Order is everything of course so I do the
following... I create two user defined chains for every built in.
I put all my DROP rules in the first user defined chains and my
accepts in the second. These 2 chains are for static rules only.

I build a third user defined chain for my dynamic accept rules AFTER
the 2 static rule chains.

Of course you are probably trying to create a bunch of dynamic DENY
rules so your dynamic chain would be in front of your static chains.

After you drive yourself insane using accept policies remember
that "All is denied except explicitly allowed" is always easier.



DFAUHA> basicaly I have 

DFAUHA> DENY 
DFAUHA> DENY 
DFAUHA> DENY 
DFAUHA> DENY 
DFAUHA> DENY 
DFAUHA> ACCEPT ALL

DFAUHA> I need to be able to add rules on the fly right above the accept all. 

DFAUHA> I thought I seen mention some where of adding in rules anywhere in that 
DFAUHA> sequence using a rule number or some thing like that. 

DFAUHA> TIA 







-- 

 Bob                            mailto:surenko@fred.net