[Firehol-support] [sanewall-dev] Changing activation policy
Thomas Arendsen Hein
thomas at intevation.de
Mon May 21 08:19:04 BST 2012
* Phil Whineray <phil.whineray at gmail.com> [20120519 18:53]:
> For sanewall I think I should change the activation policy for the
> FORWARD chain from ACCEPT TO DROP.
> Could people please let me know if this will adversely affect them and
> if possible test what effect it has?
> Just add to the top of your config:
> If you are using firehol the equivalent would be to add:
> There are two other policies for INPUT and OUTPUT, also set to ACCEPT
> during activation. This as-designed, to avoid intefering with establish
> connections whilst restarting and eliminated the risk that the host becomes
> inaccessible to the admin if something goes wrong whilst restarting the
> firewall remotely.
I am using DROP on INPUT/OUTPUT/FORWARD since 2003 on multiple
(40-60?) hosts and absolutely never had a disconnect of the ssh
session I used to activate the rules, even with very large rulesets,
where it took up to 5 minutes to activate >5000 rules across many
See my very old bug report about this:
Therefore I suggest setting it to DROP for all three activation
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the Firehol-support