Re: Default Forwarding Policies

lilo (
Mon, 1 Jul 1996 07:44:32 -0500 (CDT)

I'm not sure I understand this. Leonard's point would seem to be that the
`default' forwarding policy should be something like deny or reject. It's
easy to change that once your interfaces are up. Many of us would never
have to change it at all, since a `default' policy of deny or reject would
make a good base for a set of careful forwarding rules. And it's easy to
change the default to whatever you prefer if you are actually doing

I think he has a point.


On Mon, 1 Jul 1996, Michael O'Reilly wrote:

> No, the filters should just be added before the network interfaces are
> brought up. No packets will be forwarded until the ifconfig is done,
> so just make sure the filters are added first.
> Note that many people (i.e. me :) enable both forwarding and
> filtering, as I don't want to have to reboot the machine just to add a
> temporary filter.
> Michael.
> >>>>> ""Leonard" == "Leonard N Zubkoff" <> writes:
> > If IP Forwarding and IP Firewall are both included in a kernel,
> > shouldn't the default policy be to not forward anything until the
> > system startup scripts set the appropriate policies? Otherwise,
> > there's a window of time during boot when packets will be forwarded
> > but should not be. Worse still, if a crash causes a reboot that
> > doesn't get far enough to run the startup scripts, a machine might
> > be left with forwarding turned on indefinitely until someone notices
> > the problem.
> > Leonard