Firewall Default deny

From FreeBSDwiki
Jump to: navigation, search

Default Deny is a type of firewall ruleset in which the default condition of the firewall is to deny ALL connectivity - from anywhere, to anywhere. A default deny firewall with no additional rules loaded effectively has no network interfaces in it at all.

You do need to be careful in how you manipulate a default deny system - for instance, if you try to reload the firewall rules remotely, you'll kill it (since the shell session will terminate as soon as the system returns to default rules, thereby never getting the chance to load the extra rules that allow some types of connectivity). However, default deny is the recommended type of firewall ruleset, because while a default allow setup would not have the problem outlined above, it would be vulnerable to a race condition in which an attacker could compromise the system by attacking it in the period between the reset to the default allow ruleset and reloading of additional rules to restrict access afterwards.

All FreeBSD systems running ipfw are automatically default deny systems unless specified otherwise in a custom kernel, with the line options IPFIREWALL_DEFAULT_TO_ACCEPT. For the race condition reason outlined above, it is NOT recommended that you override this behavior to force a default allow ruleset.

Personal tools