[Firehol-support] [sanewall-dev] Changing activation policy
Thomas Arendsen Hein
thomas at intevation.de
Mon May 21 08:19:04 BST 2012
* Phil Whineray <phil.whineray at gmail.com> [20120519 18:53]:
> For sanewall I think I should change the activation policy for the
> FORWARD chain from ACCEPT TO DROP.
>
> Could people please let me know if this will adversely affect them and
> if possible test what effect it has?
>
> Just add to the top of your config:
> SANEWALL_FORWARD_ACTIVATION_POLICY=DROP
>
> If you are using firehol the equivalent would be to add:
> FIREHOL_FORWARD_ACTIVATION_POLICY=DROP
>
> There are two other policies for INPUT and OUTPUT, also set to ACCEPT
> during activation. This as-designed, to avoid intefering with establish
> connections whilst restarting and eliminated the risk that the host becomes
> inaccessible to the admin if something goes wrong whilst restarting the
> firewall remotely.
I am using DROP on INPUT/OUTPUT/FORWARD since 2003 on multiple
(40-60?) hosts and absolutely never had a disconnect of the ssh
session I used to activate the rules, even with very large rulesets,
where it took up to 5 minutes to activate >5000 rules across many
interfaces.
See my very old bug report about this:
http://sourceforge.net/tracker/?func=detail&atid=487695&aid=756001&group_id=58425
Therefore I suggest setting it to DROP for all three activation
policies.
Regards,
Thomas
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20120521/c31f2c13/attachment-0001.sig>
More information about the Firehol-support
mailing list