At 05:03 AM 6/15/01 , Bryan Walton wrote: >... >2) More to the point, Ziegler suggests setting the input, output, and >forward default policies to DENY and then decide what to allow through. It >has dawned on me that I can make my rules MUCH simpler by setting the output >chain's default policy to ACCEPT and remove all of the output rules from >the script since philosophically I don't have any interest or >desire to limit what my family members do on the net. As long as I >filter out incoming traffic that I deem dangerous, is there anything to fear >from having the output default policy set to ACCEPT? Or am I missing >something obvious?
When I set up a similar system at my home I relied on recommendations from a document which recommended a strong ruleset based on DENY/REJECT in the output chain. As I learned over time I realized that ACCEPT was the better policy. Several previously blocked services are now accessible, and now I specifically DENY only certain outputs (X ports, SMB) as precautions, and allow everything to pass between the computers on the home LAN. My only other concern was Internet filtering for the kids, which I solve by disallowing forwarding when neither of us can supervise (echo "0" > /proc/sys/net/ipv4/ip_forward) rather than setting any rules in the firewall. Jeff ------- Jeffrey B. Green Personal Computer Consultant - Las Vegas, Nevada http://jbgreen.com Networking Las Vegas Since 1986
