I wrote this message on the 17th of January, however there was a
problem with the way it got posted.
Below you will find the relative portion to which this applies
rather than the whole post (to save bandwidth).
The message begins "Eric Preston wrote:" followed by several
paragraphs posted below. The paragraphs however were NOT Eric
Preston's writing, but was a "prelude" to the actual letter
below. The paragraphs directly under the "Eric Preston wrote"
part were written by myself, and not meant to appear as if he had
written them. I just wanted to clarify this because it was
pointed out to me that it appears to attribute my words to Eric,
and that is not my intention.
I apologize to Eric for this unintended misattribution, and hope
this clarifies things. Now if only PINE was smart enough to
autodetect these things in the future... ;o)
Sorry for any misinterpretations caused by this.
-- Mike A. Harris Linux advocate Computer Consultant GNU advocate Capslock Consulting Open Source advocateJoin the FreeMWare project - the goal to produce a FREE program in which you can run Windows 95/98/NT, and other operating systems.
---------- Forwarded message ---------- Date: Mon, 17 Jan 2000 05:56:21 -0500 (EST) From: Mike A. Harris <mharris@meteng.on.ca> To: Linux Kernel mailing list <linux-kernel@vger.rutgers.edu> Cc: Eric Preston <eric@ericpreston.com> Subject: IP filtering should default to DENY?
On Mon, 17 Jan 2000, Eric Preston wrote:
This is posted to linux-kernel because I do not have POSIX, etc.. documents handy to provide pure facts, but I know other people do. Also, I figured others would have a better job in squashing the thread quickly - either way, and with a lot more valid points than I could.
The thread is based on a message I wrote claiming that the boot sequence in RedHat brings up network interfaces prior to linuxconf enabling firewall rules thus giving a window of opportunity at boot time at which the firewall is not enabled. I suggested that the firewall scripts should be called PRIOR to networking.
Next, it was suggested that the kernel's source be modified to change the default rules to DENY instead of accept. I did not see any reason for this since the same can be achieved in userland without editing source, just by putting the ipchains script ahead of the one that enables network interfaces.
This now brings up a debate that the kernel would be more secure if it defaulted to DENY which I disagree with, and believe that it would likely violate POSIX or UNIX98 or some other standard. I do not have any specific info to support this, but I'll bet someone else does know and can set things straight.
So, what is the reason for the ipfilter defaulting to ACCEPT? (Aside from the fact that it doesn't matter, and can be done in userland quite effectively that is... ;o)
-- Mike A. Harris Linux advocate Computer Consultant GNU advocate Capslock Consulting Open Source advocate
Join the FreeMWare project - the goal to produce a FREE program in which you can run Windows 95/98/NT, and other operating systems.
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jan 23 2000 - 21:00:18 EST