pavement

Default deny

From FreeBSDwiki
Revision as of 13:20, 24 December 2004 by Jimbo (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Default Deny is a type of firewall ruleset in which the default condition of the firewall is to deny ALL connectivity - from anywhere, to anywhere. A default deny firewall with no additional rules loaded effectively has no network interfaces in it at all.

You do need to be careful in how you manipulate a default deny system - for instance, if you try to reload the firewall rules remotely, you'll kill it (since the shell session will terminate as soon as the system returns to default rules, thereby never getting the chance to load the extra rules that allow some types of connectivity). However, default deny is the recommended type of firewall ruleset, because while a default allow setup would not have the problem outlined above, it would be vulnerable to a race condition in which an attacker could compromise the system by attacking it in the period between the reset to the default allow ruleset and reloading of additional rules to restrict access afterwards.

Personal tools