Home / server / Questions / 838354
In Process
Xen
Asked: 2017-03-15 23:24:23 +0800 CST

What is the purpose of denying specific inbound traffic in firewalls?

  • 772

Many common firewall rules include a number of lines that block specific inbound traffic. Take this from ipfw for example:

# Fragments
$cmd 00420 deny all from any to any frag in via $pif

# ACK packets that did not match the dynamic rule table
$cmd 00430 deny tcp from any to any established in via $pif

At the end, however, one typically blocks anything that does not match any of the rules:

# Deny any other inbound traffic, with logging
$cmd 00998 deny log all from any to any in via $pif

# Deny any other traffic, with logging
$cmd 00999 deny log all from any to any

How would including the first set of rules bring any benefit if we are blocking all other traffic anyway as shown above?

firewall

1 Answers

  1. I can't speak to ipfw, but in iptables it makes a lot of sense, as first dispositive match wins, and there are usually permissive rules between the explicit denies at the top and the blanket deny at the bottom (unless you're building a very, very quiet device!).

    So eg if you explicitly want to exclude all Martians, you need to have lines like

    iptables -A INPUT -s 10.0.0.0/8     -j DROP
iptables -A INPUT -s 172.16.0.0/12  -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP

    before lines like

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

    because otherwise the ACCEPT line for ssh will permit the Martians before they ever see the blanket DENY.

    Thanks to Michael Hampton for establishing that the same logic applies to ipfw rulesets.

    • 6