LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-13-2010, 09:12 AM   #16
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217

Quote:
Originally Posted by nicedream View Post
I'll stand by my statement that a default DENY is the best (most secure) policy. It's much easier and safer to open up the ports that you need, rather than trying to close all the ones that you don't.
It's safe as pulling the network cable out of the computer is safe. You shouldn't rely on policy you should configure things in the first place so that all traffic is handled and not leave a shotgun trap in place that will blow your own brains out =/.
 
Old 08-13-2010, 09:28 AM   #17
nicedream
Member
 
Registered: Feb 2010
Distribution: Arch Linux
Posts: 68

Rep: Reputation: 19
Quote:
Originally Posted by r3sistance View Post
It's safe as pulling the network cable out of the computer is safe. You shouldn't rely on policy you should configure things in the first place so that all traffic is handled and not leave a shotgun trap in place that will blow your own brains out =/.
Implementing a default deny policy is part of the way you make sure that all traffic *is* handled.

I fail to see how having a deny at the top of your firewall rules is in any way similar to pulling out the network cable or shooting yourself with a shotgun. You're more likely to accidentally shoot yourself if you have an open firewall and then try to create a rule for every single type of attack on each port on your system.
 
Old 08-13-2010, 01:07 PM   #18
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by nicedream View Post
Implementing a default deny policy is part of the way you make sure that all traffic *is* handled.

I fail to see how having a deny at the top of your firewall rules is in any way similar to pulling out the network cable or shooting yourself with a shotgun. You're more likely to accidentally shoot yourself if you have an open firewall and then try to create a rule for every single type of attack on each port on your system.

No, it's a way of making sure all traffic is dropped. It's similar because it's not a method you should be using in the first place. If you have configured your firewall correctly you should NEVER need to rely on such a policy and I have never heard of people getting hacked because they had to open their firewall for a few minutes (not to say it can not happen but the likelihood of it, is very rare), on the other hand I have heard of hosting companies suffering customer losses due to having default deny policies causing them to black hole their servers for an hour+. On a desktop it might not be so important, in fact a firewall in itself is not as important as on a server. On a server having firewalling is important, and not blocking yourself off from the server is vastly more important then that.

Last edited by r3sistance; 08-13-2010 at 01:09 PM.
 
Old 08-13-2010, 01:20 PM   #19
nicedream
Member
 
Registered: Feb 2010
Distribution: Arch Linux
Posts: 68

Rep: Reputation: 19
Quote:
Originally Posted by r3sistance View Post
No, it's a way of making sure all traffic is dropped.
That is exactly what your firewall should do with all traffic that you have not explicitly allowed.

Quote:
Originally Posted by r3sistance View Post
If you have configured your firewall correctly you should NEVER need to rely on such a policy and I have never heard of people getting hacked because they had to open their firewall for a few minutes
I wasn't talking about a few minutes while troubleshooting. See my first post in this thread where I recommended that the original poster remove all his rules to see if he could connect via SSH. I was talking about the iptables rules that a server runs on a regular day-to-day basis.

Quote:
Originally Posted by r3sistance View Post
and not blocking yourself off from the server is vastly more important then that.
Which is why you add an explicit rule to allow SSH connections through, and possibly even restrict that to allow only your IP address (if you have a static IP).
 
Old 08-13-2010, 01:27 PM   #20
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by nicedream View Post
That is exactly what your firewall should do with all traffic that you have not explicitly allowed.
Apart from when you need to flush or re-initialize it. This is a dangerous form of filtering.

Quote:
Originally Posted by nicedream View Post
I wasn't talking about a few minutes while troubleshooting. See my first post in this thread where I recommended that the original poster remove all his rules to see if he could connect via SSH. I was talking about the iptables rules that a server runs on a regular day-to-day basis.
but what you suggest would turn a few minutes of what maybe required troubleshooting into a long period blackhole.

Quote:
Originally Posted by nicedream View Post
Which is why you add an explicit rule to allow SSH connections through, and possibly even restrict that to allow only your IP address (if you have a static IP).
Right, and this itself should be handled by a rule, not a policy. If your rules are completed the last rule on the chain should be reject all, there is simply no reasonable reason why you should be relying on a fall back to the policy. However if you need to flush the firewall for whatever reason, you need to be able to get back into the server to reconfigure the firewall, thus there is reasonable reason to have an accept policy, this is why firewalls on a lot, if not most distributions default to this type of set-up.

Last edited by r3sistance; 08-13-2010 at 01:29 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Connection Refused tuftystick Linux - Newbie 15 01-12-2009 09:44 PM
ssh connection refused kevinsn Linux - Networking 5 03-31-2008 04:48 PM
ssh connection refused - trying to set up ssh server at home openSauce Linux - Server 10 10-18-2007 05:38 PM
SSH Connection Refused meping Linux - Networking 9 04-15-2006 02:04 AM
ssh in fedora: connection refused zwanzig Linux - Networking 8 06-11-2004 05:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration