From netfilter Tue Feb 18 19:57:05 2014 From: Ambroz Bizjak Date: Tue, 18 Feb 2014 19:57:05 +0000 To: netfilter Subject: Re: Implications of a permissive FORWARD chain Message-Id: X-MARC-Message: https://marc.info/?l=netfilter&m=139275343130844 It's worth pointing out that packets coming in from interface A with the destination address equal to the local address of interface B will be considered INPUT, not FORWARD. So, even if you have drop packets in FORWARD, binding a service to a specific interface address, as a security measure, does not actually make it reachable only via that interface. You'd need to explicitly drop those packets in INPUT to protect the service. On Tue, Feb 18, 2014 at 6:53 PM, Mark Fox wrote: > I've been waffling over a permissive or restrictive FORWARD chain and have > realized that my understanding of the implications is lacking. So I'll just > ask: What are the implications of a permissive FORWARD chain? > > My situation is that I am deploying a virtualization/containerization host > at a facility that has one big network for everything (servers, desktop > workstations, etc.). There is no DMZ. As one would expect, the network is > really chatty. > > Traffic has to be forwarded to/from the VM/container host to/from the VMs or > containers, so a DROP policy on the FORWARD chain means carefully crafting > rules to allow traffic to be forwarded to the VMs/containers. I have no > issues with that, but it does mean that the future users of the VM/container > host would have to craft their own rules when they add new VMs/containers. > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html