From baf947253ea4c9c59864542ca7e22b96f8b1c5d8 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Tue, 13 Jan 2015 22:57:48 -0600 Subject: [PATCH] Update: oops! don't block unicasts by default Whoops, I overlooked that unicast was the name for the normal, expected, behavior of standard point to point network connections. --- level_3/firewall/data/settings/firewall-first | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/level_3/firewall/data/settings/firewall-first b/level_3/firewall/data/settings/firewall-first index 5db789b..788de35 100644 --- a/level_3/firewall/data/settings/firewall-first +++ b/level_3/firewall/data/settings/firewall-first @@ -44,14 +44,15 @@ main: # Drop multicasts and broadcasts, they should not exist for a router and in most cases should be avoided. + # unicasts are the normal behavior and blocking them would be very unusual. direction output rule -m pkttype --pkt-type broadcast -j output-casting rule -m pkttype --pkt-type multicast -j output-casting - rule -m pkttype --pkt-type unicast -j output-casting + #rule -m pkttype --pkt-type unicast -j output-casting direction input rule -m pkttype --pkt-type broadcast -j input-casting rule -m pkttype --pkt-type multicast -j input-casting - rule -m pkttype --pkt-type unicast -j input-casting + #rule -m pkttype --pkt-type unicast -j input-casting # Allow ALL input&output connections that have already been established by this host (using conntrack might be more efficient) -- 1.8.3.1