Hosting Provided By

Re: Why not have firewall rules by default?

From: Vincent Deffontaines <vincent(at)gryzor.com>
Date: Wed Jan 23 2008 - 13:11:19 EST

Michael Loftis wrote:
[snip]
> It's better to leave the service disabled, or even better, completely
> uninstalled from a security standpoint, and from a DoS standpoint as
> well. The Linux kernel isn't very efficient at processing firewall
> rules. Newer kernels might be though (I honestly haven't looked as
> deeply into this in late 2.6 as i did/do in 2.4...2.4 processes
> firewall rules strictly step by step)

The processing of Netfilter rules has not fundamentally changed from 2.4 to 2.6.
However, there is a way to load rules in a monilithic way, by using iptables-restore, in place
of calling "iptables" multiple times. (IIRC, at some point in the past, debian used that to save
rules at system shutdown and reload them at boot, but I may be wrong).

Vincent

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Wed Jan 23 13:38:40 2008

This message: [ Message body ]
Next message: Riku Valli: "Re: Why not have firewall rules by default?"
Previous message: Ondrej Zajicek: "Re: Why not have firewall rules by default?"
In reply to: Michael Loftis: "Re: Why not have firewall rules by default?"
Next in thread: Ondrej Zajicek: "Re: Why not have firewall rules by default?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:55:23 EDT