Enable conntrack in FORWARD #29
Conversation
keachi
force-pushed
the
fwd_conntrack
branch
from
fa5eb47
to
b3e8ca2
Compare
|
@nbarrientos any reason why you removed the FORWARD conntrack in #14 or just missed it? Mainly, as you added explicit tests to not contain the forward conntrack rules by default. |
|
Hi @duritong
It was on purpose. Perhaps the most prominent use-case for this module is machines where all the traffic they see on their interfaces is for the host itself (pure servers), hence having rules added to |
|
Hi @nbarrientos, |
|
Could you please provide an example of the connections that won't work as expected if forwarded traffic part of an established connection is not allowed in a typical server environment? |
|
I agree with @nbarrientos that in typical server environments FORWARD is most likely not relevant and it actually follows our principle of the core design of the module, that by default it should be as locked down as possible. So having something in place that might eventually be used is not really following that principle. So imho what should happen: By default it should not be allowed, since no forward is needed by default. If we add rules to forward, then connection tracking should be set up, so that established flows work. But maybe @keachi you have an example in mind, where it makes sense. |
|
We don't open anything with it, as there is now rule which allows new traffic. But I changed the fwd_conntrack to false by default. |
e3c56ff Merge pull request voxpupuli#29 from keachi/fwd_conntrack 24a5a2a Enable conntrack in FORWARD git-subtree-dir: code git-subtree-split: e3c56ff
This PR will enable conntrack for forwarding packages. This is mostly used for router traffic.
This extends #14.