Re: [Fwbuilder-discussion] Default policy when stopping the firewall
Brought to you by:
mikehorn
From: Luc P. <lp...@to...> - 2010-07-26 16:05:33
|
Le 2010-07-26 11:09, Vadim Kurland a écrit : > On Mon, Jul 26, 2010 at 7:35 AM, Luc Paulin<lp...@to...> wrote: > >> Hi , >> It look like that when we stop the firewall using the script it doesn't >> reset the default policy. I would expect that when I stop the firewall >> the default policy should be ACCEPT >> >> > it should be DROP, however you can make the script retain a rule to > permit ssh access to the firewall from the management workstation if > you use checkbox in the advanced settings dialog of the firewall > object. This way, even when firewall is stopped and all actions are > DROP, you can still ssh to the firewall. > > > Why should it be DROP ? I understand that having the default policy to ACCEPT is a risk, however there may sometime that it would be preferable to entirely turn off the firewall temporaly for testing purpose, especially in test environnement. Also the management workstation may not alway be the same. In ou environnement we do have fwbuilder install on a central server and we then use xforwarding to our own workstation. We do connect to firewall directly from our own workstations. Also the ip address of the management workstation may not alway be the same because of nating/internet. >> >> root@lpaulin-laptop:/home/lpaulin/Desktop/FWBuilder# iptables -L >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> root@lpaulin-laptop:/home/lpaulin/Desktop/FWBuilder# ./TT_Laptop.fw >> Activating firewall script generated Fri Jul 16 15:45:49 2010 by lpaulin >> Running prolog script >> Verifying interfaces: eth0 lo eth1 >> Rule 0 (eth0) >> Rule 1 (lo) >> Rule 2 (global) >> Rule 3 (global) >> Rule 4 (global) >> Running epilog script >> >> root@lpaulin-laptop:/home/lpaulin/Desktop/FWBuilder# ./TT_Laptop.fw stop >> >> root@lpaulin-laptop:/home/lpaulin/Desktop/FWBuilder# iptables -L >> Chain INPUT (policy DROP) >> target prot opt source destination >> >> Chain FORWARD (policy DROP) >> target prot opt source destination >> >> Chain OUTPUT (policy DROP) >> target prot opt source destination >> >> >> CONFIDENTIALITY CAUTION >> This e-mail and any attachments may be confidential or legally privileged. If you received this message in error or are not the intended recipient, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your cooperation. >> DOCUMENT CONFIDENTIEL >> Le présent courriel et tout fichier joint à celui-ci peuvent contenir des renseignements confidentiels ou privilégiés. Si cet envoi ne s'adresse pas à vous ou si vous l'avez reçu par erreur, vous devez l'effacer. Vous ne pouvez conserver, distribuer, communiquer ou utiliser les renseignements qu'il contient. Nous vous prions de nous signaler l'erreur par courriel. Merci de votre collaboration. >> >> ------------------------------------------------------------------------------ >> The Palm PDK Hot Apps Program offers developers who use the >> Plug-In Development Kit to bring their C/C++ apps to Palm for a share >> of $1 Million in cash or HP Products. Visit us here for more details: >> http://ad.doubleclick.net/clk;226879339;13503038;l? >> http://clk.atdmt.com/CRS/go/247765532/direct/01/ >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >> >> CONFIDENTIALITY CAUTION This e-mail and any attachments may be confidential or legally privileged. If you received this message in error or are not the intended recipient, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your cooperation. DOCUMENT CONFIDENTIEL Le présent courriel et tout fichier joint à celui-ci peuvent contenir des renseignements confidentiels ou privilégiés. Si cet envoi ne s'adresse pas à vous ou si vous l'avez reçu par erreur, vous devez l'effacer. Vous ne pouvez conserver, distribuer, communiquer ou utiliser les renseignements qu'il contient. Nous vous prions de nous signaler l'erreur par courriel. Merci de votre collaboration. |