Or is there a better way to archive this goal? -- gentoo-user@gentoo.org mailing list
I was looking for a way to set the default rule for the INPUT chain to
DROP. I do not want to change the rule with iptables -P INPUT DROP after
loading the kernel, I want that the kernel/modules automatically DROPS
everything after it has been loaded.
You can do this with the FORWARD chain with the parameter forward=0, but
nothing is implemented for the INPUT chain as far as i know.
I looked inside the kernel source of the modules, and hey, it is easy to
change. I recompiled the module, reloaded it. Perfect, now i have
default DROP.
But as it is so easy to edit, why is there no option in the kernel or a
parameter for the module that allows to edit the default entries when
loading the module? I can't image that I am the first one, who wants to
have a secure linux, even if the firewall script (that could set -P
INPUT DROP) fails or is delayed (i use parallel startup, so it could be
that eth0 starts before iptables). Is their a reason why a default INPUT
DROP policy is not supported in the kernel? (i know that you can easyly
remove the access to you system, if you only managed it via ssh, but why
not the option, if you really want to do that)
- [gentoo-user] netfilter: -P INPUT DROP in kernel Daniel Waeber
- Re: [gentoo-user] netfilter: -P INPUT DROP in kerne... Benno Schulenberg
- [gentoo-user] netfilter: -P INPUT DROP in kernel Daniel Waeber
- Re: [gentoo-user] netfilter: -P INPUT DROP in k... Benno Schulenberg