Default deny

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (Reverted edits by Lubomir1991 (Talk) to last revision by Dave)
(Blanked the page)
Line 1: Line 1:
'''Default Deny''' is a type of [[firewall]] ruleset in which the default condition of the firewall is to deny ALL connectivity - from anywhere, to anywhere.  A '''default deny''' firewall with no additional rules loaded effectively has no network interfaces in it at all.
You do need to be careful in how you manipulate a default deny system - for instance, if you try to reload the firewall rules remotely, you'll kill it (since the shell session will terminate as soon as the system returns to default rules, thereby never getting the chance to load the extra rules that allow some types of connectivity).  However, default deny is the recommended type of firewall ruleset, because while a '''default allow''' setup would not have the problem outlined above, it ''would'' be vulnerable to a [[race condition]] in which an attacker could compromise the system by attacking it in the period between the reset to the default allow ruleset and reloading of additional rules to restrict access afterwards.
All FreeBSD systems running [[ipfw]] are automatically '''default deny''' systems unless specified otherwise in a [[custom kernel]], with the line '''options    IPFIREWALL_DEFAULT_TO_ACCEPT'''.  For the [[race condition]] reason outlined above, it is NOT recommended that you override this behavior to force a '''default allow''' ruleset.
see also: [[Firewall, Configuring]]
[[Category:FreeBSD Terminology]]
[[Category:Securing FreeBSD]]

Revision as of 14:31, 13 August 2012

Personal tools