Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
change iptables default policy to accept and create last rule matchin… #486
Thanks for your PR. I am, however, not sure if your proposed changes should be completely integrated.
While I can understand the practical implications of your proposed changes, I still feel that
So IMHO this would to some extend (even minor) degrade the security. What do you think?
your first priority is on security, mine was on accessability. in the meantime I checked one of my servers and also there all main chains are on policy DROP and last rule is REJECTing (either with or w/o logging).
ähem, security by obscurity. :-) what applies for ports also applies for ping.
if you ping a system either you get back the echo or just nothing. good indication that its there.
moving from DROP to ACCEPT policy of course, minor, plz let me refine my PR. trying to hide a system with DROP, no.
Thanks for your refined PR. I immediately took over your ip6tables fix.
However, regarding changing the default policy to REJECT rather than DROP, I still believe that this only brings too little benefit and slightly reduce the security since system can then be more easily spoofed. So please allow me to reject this PR since I feel that the current default policy is more adequate.