On Wed, Aug 18, 2010 at 4:18 PM, JD <jd1008@xxxxxxxxx> wrote: > On 08/18/2010 01:06 PM, Tom H wrote: >> On Tue, Aug 17, 2010 at 9:31 PM, Genes MailLists<lists@xxxxxxxxxxxx> wrote: >>> On 08/17/2010 02:08 AM, Tom H wrote: >>>> >>>> IPTABLES="/sbin/iptables" >>>> $IPTABLES --table filter --policy INPUT ACCEPT >>>> $IPTABLES --table filter --policy FORWARD ACCEPT >>>> $IPTABLES --table filter --policy OUTPUT ACCEPT >>> >>> Not saying I'm commenting on the wisdom of the rules one way or >>> another - just asking - Does one really want default policy of accept on >>> all of these ? >> >> I've seen some flame wars on this topic... :) >> >> I was just posting the iptables commands needed to result in the >> "iptables -L" output that the firewall GUI of the OP had created. >> >> Unless you add some rules for OUTPUT, you have to have it default to ACCEPT. >> >> Since this is a desktop with a GUI, it doesn't matter whether FORWARD >> defaults to ACCEPT or DROP. >> >> Although I prefer and use DROP for INPUT, the reasoning of the GUI >> developer/maintainer must be that having "$IPTABLES --append INPUT >> --jump DROP" as the last INPUT rule makes the ACCEPT default safe. > > That sounds similar to what I had read many years ago > when I was running freebsd. > I was advised to start the INPUT of the ipfw rules in promiscuous mode, > and button them up and end with the final rule to drop or reject. > > If the rule is started with a reject or a drop, then that is the final resolution > of the packet, right? no further rule match is attempted. Is this correct? When a packet is inspected, matches are checked from top to bottom for tables and chains and from left to right for rules. If a packet matches a rule, then the rule's target is applied to that packet and the following rules of that chain are skipped. If a packet doesn't match any rule in a chain, then the default policy of that chain is applied to that packet. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
