From netfilter Tue Feb 18 19:29:20 2014 From: Leonardo Rodrigues Date: Tue, 18 Feb 2014 19:29:20 +0000 To: netfilter Subject: Re: Implications of a permissive FORWARD chain Message-Id: <5303B490.6070606 () solutti ! com ! br> X-MARC-Message: https://marc.info/?l=netfilter&m=139275177730165 Em 18/02/14 14:53, Mark Fox escreveu: > I've been waffling over a permissive or restrictive FORWARD chain and have > realized that my understanding of the implications is lacking. So I'll just > ask: What are the implications of a permissive FORWARD chain? > > My situation is that I am deploying a virtualization/containerization host > at a facility that has one big network for everything (servers, desktop > workstations, etc.). There is no DMZ. As one would expect, the network is > really chatty. > > Traffic has to be forwarded to/from the VM/container host to/from the VMs or > containers, so a DROP policy on the FORWARD chain means carefully crafting > rules to allow traffic to be forwarded to the VMs/containers. I have no > issues with that, but it does mean that the future users of the VM/container > host would have to craft their own rules when they add new VMs/containers. > There's no right or wrong on how your FORWARD default rule should be. Being DROP or ACCEPT depends on your network security policies. Being ACCEPT the default action for FORWARD, your linux router will forward anything from one side to the other, unless it's explicity DROPped on the rules. Being DROP the default action, everything will be dropped, except explicitely ACCEPTed by your rules. Which one fullfit you demands ? So that's the right one for you ! No one can tell you, giving only the information you wrote, that DROP or ACCEPT is right or wrong. There's really no right or wrong here, there's what fullfilts your demands/needs and what doesnt. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html