1 |
I was looking for a way to set the default rule for the INPUT chain to |
2 |
DROP. I do not want to change the rule with iptables -P INPUT DROP after |
3 |
loading the kernel, I want that the kernel/modules automatically DROPS |
4 |
everything after it has been loaded. |
5 |
You can do this with the FORWARD chain with the parameter forward=0, but |
6 |
nothing is implemented for the INPUT chain as far as i know. |
7 |
I looked inside the kernel source of the modules, and hey, it is easy to |
8 |
change. I recompiled the module, reloaded it. Perfect, now i have |
9 |
default DROP. |
10 |
But as it is so easy to edit, why is there no option in the kernel or a |
11 |
parameter for the module that allows to edit the default entries when |
12 |
loading the module? I can't image that I am the first one, who wants to |
13 |
have a secure linux, even if the firewall script (that could set -P |
14 |
INPUT DROP) fails or is delayed (i use parallel startup, so it could be |
15 |
that eth0 starts before iptables). Is their a reason why a default INPUT |
16 |
DROP policy is not supported in the kernel? (i know that you can easyly |
17 |
remove the access to you system, if you only managed it via ssh, but why |
18 |
not the option, if you really want to do that) |
19 |
Or is there a better way to archive this goal? |
20 |
-- |
21 |
gentoo-user@g.o mailing list |