2014-08-10 22:30 keltezéssel, Joe írta: > Why is it unresolvable? A DROP/REJECT policy is fail-safe, ACCEPT > isn't. If the rest of the rules are correct, (and more importantly, > guaranteed always to stay that way in the face of editing, sometimes > rushed) an ACCEPT policy is redundant, and if they're not, it's > dangerous. You will never *ever* want that ACCEPT policy rule to be > traversed. > > But it greatly simplifies matters during a short go-nogo test, during > which the probability of an attack is quite small. And here's another > reason that the Internet connection should be farmed out to a dedicated > device containing at least a simple stateful packet filter, so that > experimentation with the main firewall carries little risk. > Yes, it can work as a short go-nogo test. But the suggestion was not mentioned it, that it is only for that. And it is very likely that when the OP tries this and it 'works' (I mean the Windows machine behind the Linux works well), then the rules will remain. And - as the Linux server can have a lot of services - it will leave a lot of secholes to the world.
So I wouldn't suggest such situation, in my opinion the minimum policy should be still safe (at least a bit). So default policy for nat and mangle can be ACCEPT without too much risk, but on filter table set ACCEPT to OUTPUT chain and set DROP for INPUT and FORWARD and explicitely allow what you want. This should be the minimum security level for a home firewall. -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53ea6edb.4070...@freemail.hu
