Mike A. Harris writes:
> This now brings up a debate that the kernel would be more secure
> if it defaulted to DENY which I disagree with, and believe that
> it would likely violate POSIX or UNIX98 or some other standard.
> I do not have any specific info to support this, but I'll bet
> someone else does know and can set things straight.
>
> So, what is the reason for the ipfilter defaulting to ACCEPT?
> (Aside from the fact that it doesn't matter, and can be done in
> userland quite effectively that is... ;o)
Well, one very bad thing would happen if just that one change was made
to the kernel - how could you boot a root NFS box which had IP chains
configured? Lets look at what happens:
Kernel boots, input and output chains are set to DENY
Kernel sends bootp packet
(packet is blocked by output chain)
Kernel re-sends bootp packet
(packet is blocked by output chain)
Kernel retries about 10 times
Kernel panics
Hmm, not very productive is it?
I for one run this exact setup - a root NFS masquerading firewall. A change
to a default of DENY would currently break root NFS.
IMHO, it's better that it does default to ACCEPT, and as you say, you have
an option to use 'ipchains -P input DENY' before bringing up the interface
if you so wish.
_____
|_____| ------------------------------------------------- ---+---+-
| | Russell King rmk@arm.linux.org.uk --- ---
| | | | http://www.arm.linux.org.uk/~rmk/aboutme.html / / |
| +-+-+ --- -+-
/ | THE developer of ARM Linux |+| /|\
/ | | | --- |
+-+-+ ------------------------------------------------- /\\\ |
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jan 23 2000 - 21:00:16 EST