I don't want my device to route IP packets between any other devices that I don't know about.
The default setting is ACCEPT, not DROP. Why?
(3 votes)
Loading...According to various sources, permanent abstinence is recommended, especially for alcohol addiction and other substance dependencies, because the memory of the addiction can't be erased. Does this also apply to non-substance addictions like social media, pornography, etc.? And I really mean a "serious addiction," meaning when you spend hours a day on it even though…
All the servers throttle, even when downloading games I reach a maximum of 180 Mbits. The 250 are also reached tested by Speed Test
It went like this: I got a bad grade from my teacher which I didn't deserve, and I couldn't talk to the teacher about it. I was really angry and thought that to let out my anger at home I would send her a message to her school email via my PC. I sent the…
How can I save my Rome 2 save games to the Steam Cloud? I've enabled the cloud feature in the settings, but unfortunately, nothing uploads. It says 0 of 950 MB of cloud storage is used when I click on the game. But in other games like CSGO, does it upload anything? Why doesn't this…
Good evening😄 What happened? I went for a walk last night. While running, I slipped and hit my head on the pavement (not that hard), but I was able to catch myself a bit. Is this normal? After a brief shake of my head, I was instantly awake. There was no bump to be found….
Typically, Forwarding eh is disabled and if you activate it, you can also configure the FW immediately.
From this, the default policy is ACCEPT in everything, simply because such keien intervention takes place when nothing has been configured.
For Docker, Podman or LXC, you need IP forwarding if the containers are to have access to the network.
Not necessarily.
I’d say the standard case is that no firewall is active. So first of all, a trustworthy network.
The default setting of all iptables policies is ACCEPT. Turning to DROP is always sensible. Even if you use the function, you will set specific rules for the permitted traffic.
If you don’t forwarding / routing, you can change the problem.
I also have policy DROP at INPUT and OUTPUT, but with appropriate rules for the permitted traffic before.
Typically, however, there is a net.ipv4.ip_forward Kernel Flag, which is often default, so that Accept does not exist in principle.
PS: If you do a docker or virtualization on the box, you may need it. Rules for.
Well, with INPUT and OUTPUT, I find ACCEPT useful, because the services running on the device should be accessible and you don't normally want to restrict yourself in the case of outgoing packages.
That's why IP forwarding is even activated, I think. But Docker does create its own rules, so the policy should be quite irrelevant.
DROP allows more control. for the services there are rules that explicitly allow them. For example, I just want to allow ssh in the LAN, not worldwide. At OUTPUT you can be divided opinion because it does work, then I will do it only on servers with a fixed task.
It makes sense for servers. There’s a firewall in the router anyway, there’s nothing going on except what I’m allowed to do.
A general DROP would block any forwarding traffic, regardless of specific safety rules. What should inevitably lead to problems in the network.
This is only the policy if no rule applies to the package.
Actually, it is not “just” the policy that intervenes when no other rule applies. The “only” is completely wrong with the place, because it is the policy that IMMER intervenes when there is no other rule. It’s like the junk container that runs into any crap you haven’t explicitly treated with another rule before.
So it is quite possible that there is also something that you need in the network, but because you don’t explicitly treat it with another rule (and you don’t have it on the screen!), then you shoot yourself into the Nirvana.
So that can be completely ok and appropriate, but it can also cause immense problems if you don’t think this policy is active.
Usually you leave all traffic first and then block what you absolutely do not want.
You want to block everything in a different way -> and then allow it again. Do you have to decide which path is easier to maintain in your application.
Well, you have to assume that the DAU does not know that much and therefore it is not necessary to seal the firewall completely.
This is about the forward chain, which is not required on a normal PC or server, only if the computer functions as a router or firewall. Therefore, a drop as default policy does not harm.
Apart from the fact that it has no effect as long as you do not explicitly provide the ip forwarding in the kernel by means of
sysctl net.ipv4.ip_forward=1
has activated.
And yes, the policy sets out whether you want to have black or whitelisting in the respective chain. Everyone has to decide what is more sensible for the respective application.
Sorry, which device you mean
One with Linux, e.g. a Raspberry Pi (but no router).