Feature #7701
openfirewall: configurable default policies
Description
For discussion. There are 2 ideas here:
1. allow different actions than plain drop: e.g. reject.
2. allow default accept:hook hooks so we can insert new hooks w/o breaking existing rulesets
Also, so far it seems like the request_started/response_started hooks would most likely fit a default accept:hook as well.
Updated by Victor Julien 8 months ago
- Related to Story #7583: 9.0.0: usecase: improve firewall usecase added
Updated by Victor Julien 2 months ago
- Has duplicate Feature #8203: firewall: add configuration option for a reject default action. added
Updated by Victor Julien about 1 month ago
- Has duplicate Feature #8281: Add reject as a default action for firewall mode added
Updated by Jamie Lavigne 10 days ago
It kind of combines 1 and 2, but allowing a default action of accept:hook combined with visibility into what the default action matches would be very valuable for testing new rulesets in a non-destructive way before enabling enforcement.
Inserting a firewall into an existing environment is a potentially dangerous operation if it ends up blocking traffic unintentionally. The two ideas above would allow a user to first configure the firewall in a way that evaluates rules and tells you what it would block but does not take any blocking action, so the user can validate the ruleset before switching the default action to blocking.