WEBVTT

00:00.990 --> 00:01.930
Welcome back.

00:02.360 --> 00:09.810
This lecture will be about policy traffic filtering is done in the filter table of the input chain for

00:09.810 --> 00:19.350
incoming traffic of the output chain for outgoing traffic and of the chain for her outside traffic rules

00:19.350 --> 00:26.240
are added to chains and tables and traversed in order from top to bottom by the packet.

00:27.890 --> 00:36.650
Expect it is then checked against Eglinton starting at the top, if it matches the goal, then an action

00:36.650 --> 00:40.640
is taken such as accepting or dropping the packet.

00:41.550 --> 00:49.050
Once a rule has been mixed and an action taken, the packet is processed according to the target of

00:49.050 --> 00:53.580
a vegetable and isn't processed by further rules in the chain.

00:54.550 --> 01:02.110
Now, if a package passes down through all the rules in the chain and reaches the bottom without being

01:02.110 --> 01:07.660
matched against any rule, then the default policy for that chain is applied.

01:08.140 --> 01:17.620
The default action is referred to as the default policy and may be set to either accept or drop the

01:17.620 --> 01:25.480
concept of default policies or raises two possibilities that we must consider before deciding how we

01:25.480 --> 01:27.490
are going to organize the firehole.

01:28.430 --> 01:34.060
So when organizing our firewall, we should have the following options in mind.

01:34.840 --> 01:43.420
We can set the default policy to drop all packets and then add the rules to specifically allow packets

01:43.600 --> 01:51.700
that may be from trusted IP addresses or for certain ports on which we have services running like FTB

01:51.850 --> 01:53.920
Web e-mail and so on.

01:54.100 --> 02:01.480
Or the second possibility we can set the default policy to accept all packets and then add the rules

02:01.630 --> 02:10.960
to specifically block or dropkicks that may be from specific IP addresses or ranges or for certain ports

02:10.960 --> 02:13.260
on which we have private services.

02:14.140 --> 02:21.010
Generally, the first option is to use at least for the input chain and is considered more secure.

02:23.050 --> 02:31.280
By default, policy is set to accept any package that hasn't been dropped by any actual policy can be

02:31.280 --> 02:37.240
exchanged for actions that have the filter table in that they are input output and forward.

02:37.480 --> 02:42.150
We cannot change the policy for pre routing or post routing change.

02:42.920 --> 02:45.460
Let's take a look at some examples.

02:46.000 --> 02:51.460
We can check the policy by listing the final IP tables minus Al.

02:52.730 --> 02:56.160
This is the default firewall for a Linux operating system.

02:56.450 --> 03:03.290
We see the default policy is accept for input output and for the change note the fact that there is

03:03.290 --> 03:04.780
no rule in the exchange.

03:04.940 --> 03:06.860
So all traffic is permitted.

03:08.290 --> 03:15.130
Now, I'll continue sleeping with Linux and also check the SSX connection.

03:19.540 --> 03:22.360
Ping and the IP address of Linux on.

03:25.670 --> 03:30.190
Boeing is working and now S.H..

03:36.280 --> 03:38.170
S.H. is working to.

03:40.400 --> 03:44.510
Both incoming Pink and S.H. are working.

03:45.860 --> 03:51.850
Now, if I set the policy to drop on input chain, all the traffic will be dropped.

03:52.130 --> 03:54.660
There is no rule of it except traffic.

03:54.710 --> 04:02.460
So all traffic is dropped, IP tables minus B and uppercase P input drop.

04:03.620 --> 04:05.930
This is how we set the policy.

04:07.640 --> 04:15.950
We see that the policy is dropped and it has already dropped four packets, being has stopped, it doesn't

04:15.950 --> 04:16.670
work anymore.

04:19.590 --> 04:28.590
Setting the drug policy on input chain without any rule that accepts traffic is like ideologically disconnected

04:28.590 --> 04:30.150
the host from the network.

04:30.990 --> 04:37.560
Now I'll add a rule that allows incoming SSX traffic the input chain.

04:37.560 --> 04:38.940
It's incoming traffic.

04:38.940 --> 04:45.240
The protocol is Tsipi, the destination for 22 minus the target is accept.

04:47.520 --> 04:50.460
Let's try to connect using SSX again.

04:51.990 --> 04:58.790
And it's working, we noticed how SSX client can connect to the server again.

05:01.460 --> 05:04.850
The SSX traffic is permitted by the school.

05:06.180 --> 05:07.710
But what about pink?

05:12.520 --> 05:14.190
Bing is still not working.

05:15.610 --> 05:18.160
Pink pancakes are dropped by the policy.

05:24.260 --> 05:29.120
There are 15 packets dropped now there are 19 packets.

05:30.330 --> 05:37.320
22 packets and so on, Pink is continuously sending packets to Linux one.

05:39.160 --> 05:47.380
If I want to permit incoming ICMP pink pancakes, I should add a rule that accepts that traffic.

05:49.580 --> 05:54.360
Also note that policy is always at the end of the chain.

05:54.590 --> 06:00.110
It's not possible to read the rules that makes against pancakes after the policy.

06:02.370 --> 06:06.630
At the end of this lecture, I'd like to tell you something important.

06:07.050 --> 06:10.770
Take care to win changing the policy on remote servers.

06:11.300 --> 06:16.460
There is always the possibility to block yourself from accessing the server anymore.

06:16.830 --> 06:24.450
First, to be sure that you've added a rule that allows your own traffic and only then change the default

06:24.450 --> 06:24.990
policy.

06:25.410 --> 06:26.550
Keep this in mind.