[Firehol-devs] [sanewall-dev] Changing activation policy
phil.whineray at gmail.com
Mon May 21 21:22:16 BST 2012
On Mon, May 21, 2012 at 09:19:04AM +0200, Thomas Arendsen Hein wrote:
> * Phil Whineray <phil.whineray at gmail.com> [20120519 18:53]:
> > Could people please let me know if this will adversely affect them and
> > if possible test what effect it has?
> I am using DROP on INPUT/OUTPUT/FORWARD since 2003 on multiple
> (40-60?) hosts and absolutely never had a disconnect of the ssh
> session I used to activate the rules, even with very large rulesets,
> where it took up to 5 minutes to activate >5000 rules across many
> See my very old bug report about this:
Good to know (and where the policy setting variables originate :)
> Therefore I suggest setting it to DROP for all three activation
I may do that, and bring the options front and centre in the
documentation so people can make an informed choice if they want to
revert to the old behaviour.
I think ACCEPT during the initial phase is generally not too bad when
the connection will be severed upon completion, per Costas description.
I am convinced it is not safe when an "all" service is in use and DROP
would eliminate the problem.
If I make DROP the default I will see if there is some way to protect
existing connections (maybe allow prior-established traffic immediately
and delete those rule(s) at the end?). New connections can wait until
the appropriate rules are loaded.
Thanks for the feeback
More information about the Firehol-devs