On 10/13/2014 05:03 PM, Thomas Woerner wrote:
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
> Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
> change anything as all 'remaining' packets are matched with
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> anyway.
>
> Or add a "policy" support to 'direct' interface. Something like
> $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb }
> table chain target
> which would run 'iptables -P -t table chain target'
I think it would be good to have one global setting in the firewalld
config file to define the default policy for all default chains in all
tables.
Setting policies of all chains of all tables to DROP is IMHO *too*
restrictive. That would AFAICT drop *all* traffic (for example in raw or
mangle table) and it's not what the 'security guide' suggests - it
suggests to set DROP policy of filter/INPUT only.
Anyway I think using firewalld's 'drop' zone is what we want here, as I
already suggested in another answer.
--
Jiri