Added by Victor Julien 11 months ago. Updated 10 days ago.
Description
For discussion. There are 2 ideas here:
1. allow different actions than plain drop: e.g. reject.
2. allow default accept:hook hooks so we can insert new hooks w/o breaking existing rulesets
Also, so far it seems like the request_started/response_started hooks would most likely fit a default accept:hook as well.
It kind of combines 1 and 2, but allowing a default action of accept:hook combined with visibility into what the default action matches would be very valuable for testing new rulesets in a non-destructive way before enabling enforcement.
Inserting a firewall into an existing environment is a potentially dangerous operation if it ends up blocking traffic unintentionally. The two ideas above would allow a user to first configure the firewall in a way that evaluates rules and tells you what it would block but does not take any blocking action, so the user can validate the ruleset before switching the default action to blocking.