Gentoo Archives: gentoo-user

From: Daniel Waeber <_wabu@×××.de>
To: gentoo-user@l.g.o
Subject: [gentoo-user] netfilter: -P INPUT DROP in kernel
Date: Fri, 21 Apr 2006 00:06:40
Message-Id: 444820A8.30105@web.de
In Reply to: [gentoo-user] OT - openssh and ldap by Michael Sullivan
1 I was looking for a way to set the default rule for the INPUT chain to
2 DROP. I do not want to change the rule with iptables -P INPUT DROP after
3 loading the kernel, I want that the kernel/modules automatically DROPS
4 everything after it has been loaded.
5 You can do this with the FORWARD chain with the parameter forward=0, but
6 nothing is implemented for the INPUT chain as far as i know.
7 I looked inside the kernel source of the modules, and hey, it is easy to
8 change. I recompiled the module, reloaded it. Perfect, now i have
9 default DROP.
10 But as it is so easy to edit, why is there no option in the kernel or a
11 parameter for the module that allows to edit the default entries when
12 loading the module? I can't image that I am the first one, who wants to
13 have a secure linux, even if the firewall script (that could set -P
14 INPUT DROP) fails or is delayed (i use parallel startup, so it could be
15 that eth0 starts before iptables). Is their a reason why a default INPUT
16 DROP policy is not supported in the kernel? (i know that you can easyly
17 remove the access to you system, if you only managed it via ssh, but why
18 not the option, if you really want to do that)
19 Or is there a better way to archive this goal?
20 --
21 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] netfilter: -P INPUT DROP in kernel Benno Schulenberg <benno.schulenberg@×××××.com>