[Firehol-devs] [sanewall-dev] Changing activation policy

Phil Whineray phil.whineray at gmail.com
Mon May 21 21:22:16 BST 2012


On Mon, May 21, 2012 at 09:19:04AM +0200, Thomas Arendsen Hein wrote:
> * Phil Whineray <phil.whineray at gmail.com> [20120519 18:53]:
> > Could people please let me know if this will adversely affect them and
> > if possible test what effect it has?

> I am using DROP on INPUT/OUTPUT/FORWARD since 2003 on multiple
> (40-60?) hosts and absolutely never had a disconnect of the ssh
> session I used to activate the rules, even with very large rulesets,
> where it took up to 5 minutes to activate >5000 rules across many
> interfaces.

> See my very old bug report about this:
> http://sourceforge.net/tracker/?func=detail&atid=487695&aid=756001&group_id=58425

Good to know (and where the policy setting variables originate :)

> Therefore I suggest setting it to DROP for all three activation
> policies.

I may do that, and bring the options front and centre in the
documentation so people can make an informed choice if they want to
revert to the old behaviour.

I think ACCEPT during the initial phase is generally not too bad when
the connection will be severed upon completion, per Costas description.
I am convinced it is not safe when an "all" service is in use and DROP
would eliminate the problem.

If I make DROP the default I will see if there is some way to protect
existing connections (maybe allow prior-established traffic immediately
and delete those rule(s) at the end?). New connections can wait until
the appropriate rules are loaded.

Thanks for the feeback

Phil




More information about the Firehol-devs mailing list