A simple question
Thu Aug 19 09:39:44 CEST 2004
On Don, 2004-08-19 at 06:18, Mark E. Donaldson wrote:
> As you might expect, it is quite easy to DOS the firewall itself
> when OUTPUT is set to DROP. And that is not a real good idea.
Please elaborate - why is it easy to DOS the firewall if the output
policy is DROP? You don't mean icmp/source-quench not getting
delivered or something?
> However, having said that, close scrutiny must be paid to what you
> allow out of the firewall and the necessary rules must be in place.
...which is why I personally use DROP as default policy for all
chains and explicitly allow everything I think necessary :-)
The only exception is in the mangle table, where I use ACCEPT
policies and just filter out the obvious spoofs, unclean frames
More information about the netfilter