From: Bruce S. <bw...@ar...> - 2003-05-31 03:23:02
|
> >>Add a comment to insert ones own rules _above_ the logging rules > >>and leave some more free lines in the script there so users really > >>see it. > > > > I figured if someone was knowledgeable enough to add their own rules, > > they would know where to add them. Depending on what they want to do, > > they may need to add rules in other places too. > > > > Is that really necessary? > > If we are preparing a script for beginners.... Exactly. Beginners should not be writing netfilter rules (IMO). Nobody without a good knowledge of the subject should be writing rules. They do so at their own risk. Maybe we need a disclaimer in the script? > >>># Log invalid packets from DROP policy: > >>>if [ -n "$LOGGING" ] ; then > >>> ${IPTABLES} -A INPUT -d 255.255.255.255 -j DROP # do not log broadcasts > >>> ${IPTABLES} -A INPUT -d 224.0.0.0/8 -j DROP # do not log Microsoft multicasts > >> > >>Why don't you just do the above always? Do just logging when we want > >>logging. > > > > Efficiency. The only good these rules do is keep a bunch of extra crap > > out of the logs, so they do absolutely no good unless we're logging. > > The packets are dropped anyway, along with everything else, the very > > next thing because we are at the end of the chain (policy = drop). > > > > Why add the overhead of more rules when they don't do any good? > > If someone manages to install rules after the logging rules those > rules might interfere. > > Have you got something like the expresssion > DAU = dümmster anzunehmender User > ~ the most stupid user to expect Yes, I've been working as a sysadmin for a long time, and have seen some pretty dumb things. My main concern is providing a good secure script to start with. If someone breaks the script, they own all the pieces. There is nothing we can do about that. > That's what I always have in mind if you do wounder about my remarks - > which sound so obvious to you that you think it's not important. Understood. - BS |