Re: Default Forwarding Policies

Michael O'Reilly (michael@metal.iinet.net.au)
Mon, 01 Jul 1996 20:50:12 +0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Nick Simicich: "Re: Ideas for 2.1"
Previous message: lilo: "Re: Default Forwarding Policies"

In message <19960701124432.23639.qmail@slip-5-9.ots.utexas.edu>, lilo writes:
> I'm not sure I understand this. Leonard's point would seem to be that the
> `default' forwarding policy should be something like deny or reject. It's
> easy to change that once your interfaces are up. Many of us would never
> have to change it at all, since a `default' policy of deny or reject would
> make a good base for a set of careful forwarding rules. And it's easy to
> change the default to whatever you prefer if you are actually doing
> forwarding....

That is the point. Basically, no interfaces up is a 'deny' policy. No
packets will be forwarded. If you set the rules BEFORE you bring
interfaces up, you'll never see a packet without your rules being set.

Basically, for the people that turn filtering on 'just in case', the
current policy of forwarding everything is fine.

For the people that need no window where a packet might slip through,
set the rules before you bring up the interface. No packet will be
routed until the rules are all set. Effectively does the same thing as
a 'deny' default policy.

Michael.

Next message: Nick Simicich: "Re: Ideas for 2.1"
Previous message: lilo: "Re: Default Forwarding Policies"