[sanewall-dev] Changing activation policy

Thomas Arendsen Hein thomas at intevation.de
Mon May 21 09:19:04 CEST 2012


* Phil Whineray <phil.whineray at gmail.com> [20120519 18:53]:
> For sanewall I think I should change the activation policy for the
> FORWARD chain from ACCEPT TO DROP.
> 
> Could people please let me know if this will adversely affect them and
> if possible test what effect it has?
> 
> Just add to the top of your config:
>   SANEWALL_FORWARD_ACTIVATION_POLICY=DROP
> 
> If you are using firehol the equivalent would be to add:
>   FIREHOL_FORWARD_ACTIVATION_POLICY=DROP
> 
> There are two other policies for INPUT and OUTPUT, also set to ACCEPT
> during activation. This as-designed, to avoid intefering with establish
> connections whilst restarting and eliminated the risk that the host becomes
> inaccessible to the admin if something goes wrong whilst restarting the
> firewall remotely.

I am using DROP on INPUT/OUTPUT/FORWARD since 2003 on multiple
(40-60?) hosts and absolutely never had a disconnect of the ssh
session I used to activate the rules, even with very large rulesets,
where it took up to 5 minutes to activate >5000 rules across many
interfaces.

See my very old bug report about this:
http://sourceforge.net/tracker/?func=detail&atid=487695&aid=756001&group_id=58425

Therefore I suggest setting it to DROP for all three activation
policies.

Regards,
Thomas

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.sanewall.org/pipermail/sanewall-dev/attachments/20120521/c31f2c13/attachment.pgp>


More information about the Sanewall-Dev mailing list