Roberto C. Sánchez wrote:
On Thu, May 08, 2008 at 07:37:25PM -0700, Erik Mundall wrote:sudo iptables -F sudo iptables -X sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPTThe instructions were that this would completely open up the iptables, and would require a firewall to take care of the security in place of the iptables. But now I ask: 1) Is this safe?I'm not sure what you mean by this. Basically, those commands completely flush all rules, delete all user-defined chains and default allow all inbound and outbound traffic. If your system faces the public Internet and you execute those commands and don't follow them up with any protective measures, then that is certainly a recipe for disaster.
And those rules do nothing with forwarded traffic, nat, mangle or raw rules. In other words, those rules are very incomplete.
2) Does shorewall replace ALL of the necessary iptables rules with its own secure policies, or does it merely adjust the tables already there?Shorewall replaces all the iptables rules, else there would be no sane way to do it.3) Would there be any better way of opening up the iptables?If you run 'shorewall clear' it has the same effect as the commands you listed above.
And much more. Of course, then you leave yourself wide open. You can do
this for troubleshooting, for example, to see if some misbehavior still occurs after clearing the iptables rules, which will tell you if the problem is with Shorewall or with something else.
Agreed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
