[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Implications of a permissive FORWARD chain
From:       Mark Fox <mark.fox () gmail ! com>
Date:       2014-02-18 17:53:35
Message-ID: loom.20140218T183628-993 () post ! gmane ! org
[Download RAW message or body]

I've been waffling over a permissive or restrictive FORWARD chain and have
realized that my understanding of the implications is lacking. So I'll just
ask: What are the implications of a permissive FORWARD chain?

My situation is that I am deploying a virtualization/containerization host
at a facility that has one big network for everything (servers, desktop
workstations, etc.). There is no DMZ. As one would expect, the network is
really chatty.

Traffic has to be forwarded to/from the VM/container host to/from the VMs or
containers, so a DROP policy on the FORWARD chain means carefully crafting
rules to allow traffic to be forwarded to the VMs/containers. I have no
issues with that, but it does mean that the future users of the VM/container
host would have to craft their own rules when they add new VMs/containers.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]