On 10/13/2014 05:41 PM, Jiri Popelka wrote:
On 10/13/2014 05:03 PM, Thomas Woerner wrote:
> On 10/13/2014 03:47 PM, Jiri Popelka wrote:
>> Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
>> change anything as all 'remaining' packets are matched with
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> anyway.
>>
>> Or add a "policy" support to 'direct' interface. Something
like
>> $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb }
>> table chain target
>> which would run 'iptables -P -t table chain target'
> I think it would be good to have one global setting in the firewalld
> config file to define the default policy for all default chains in all
> tables.
Setting policies of all chains of all tables to DROP is IMHO *too*
restrictive. That would AFAICT drop *all* traffic (for example in raw or
mangle table) and it's not what the 'security guide' suggests - it
suggests to set DROP policy of filter/INPUT only.
Yes, that is right - it is too restrictive. Setting the policy in the
filter/INPUT and filter/FORWARD only should be o.k..
Anyway I think using firewalld's 'drop' zone is what we
want here, as I
already suggested in another answer.
Yes.
--
Jiri
Thomas