Question about new chains
Bob Surenko <firstname.lastname@example.org>
Thu, 11 Oct 2001 11:30:52 -0400
Thursday, October 11, 2001, 10:34:09 AM, you wrote:
DFAUHA> I have a question about makeing a new chain or better yet, a how to question.
DFAUHA> THe way I understand it each packet is compared to every rule you have from
DFAUHA> top to bottom in waht ever chain it is in unless it matches a drop or accept
DFAUHA> then it is forwarded or what ever.
DFAUHA> well here is my issue. I need to be able to add rules on the fly with out
DFAUHA> reloading all the firewall rules every time. Becaus ethe very last chain in
DFAUHA> my script is a forward all. Do to the nature of our bussiness I have to run
DFAUHA> an accept all the deny the bad stuff versus a deny all and only open used
I can't imagine any business need that would require you to have
accept policy on your chains. Accept policies always look easier
at first but they never are. There is nothing you can do with
accept policies that you can't do with drop policies. I suggest
you look at it again.
As to your question, Order is everything of course so I do the
following... I create two user defined chains for every built in.
I put all my DROP rules in the first user defined chains and my
accepts in the second. These 2 chains are for static rules only.
I build a third user defined chain for my dynamic accept rules AFTER
the 2 static rule chains.
Of course you are probably trying to create a bunch of dynamic DENY
rules so your dynamic chain would be in front of your static chains.
After you drive yourself insane using accept policies remember
that "All is denied except explicitly allowed" is always easier.
DFAUHA> basicaly I have
DFAUHA> ACCEPT ALL
DFAUHA> I need to be able to add rules on the fly right above the accept all.
DFAUHA> I thought I seen mention some where of adding in rules anywhere in that
DFAUHA> sequence using a rule number or some thing like that.