[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Implications of a permissive FORWARD chain
From:       Ambroz Bizjak <ambrop7 () gmail ! com>
Date:       2014-02-18 19:57:05
Message-ID: CAOA3yKL0AaWeg2OEoyjHRZh1padj47byxkrJaTM4vwp1iPL8VQ () mail ! gmail ! com
[Download RAW message or body]

It's worth pointing out that packets coming in from interface A with
the destination address equal to the local address of interface B will
be considered INPUT, not FORWARD. So, even if you have drop packets in
FORWARD, binding a service to a specific interface address, as a
security measure, does not actually make it reachable only via that
interface. You'd need to explicitly drop those packets in INPUT to
protect the service.

On Tue, Feb 18, 2014 at 6:53 PM, Mark Fox <mark.fox@gmail.com> wrote:
> I've been waffling over a permissive or restrictive FORWARD chain and have
> realized that my understanding of the implications is lacking. So I'll just
> ask: What are the implications of a permissive FORWARD chain?
>
> My situation is that I am deploying a virtualization/containerization host
> at a facility that has one big network for everything (servers, desktop
> workstations, etc.). There is no DMZ. As one would expect, the network is
> really chatty.
>
> Traffic has to be forwarded to/from the VM/container host to/from the VMs or
> containers, so a DROP policy on the FORWARD chain means carefully crafting
> rules to allow traffic to be forwarded to the VMs/containers. I have no
> issues with that, but it does mean that the future users of the VM/container
> host would have to craft their own rules when they add new VMs/containers.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]