tomh0665 at gmail.com
Wed Aug 18 20:06:13 UTC 2010
On Tue, Aug 17, 2010 at 9:31 PM, Genes MailLists <lists at sapience.com> wrote:
> On 08/17/2010 02:08 AM, Tom H wrote:
> #! /bin/sh
>> $IPTABLES --table filter --policy INPUT ACCEPT
>> $IPTABLES --table filter --policy FORWARD ACCEPT
>> $IPTABLES --table filter --policy OUTPUT ACCEPT
> Not saying I'm commenting on the wisdom of the rules one way or
> another - just asking - Does one really want default policy of accept on
> all of these ?
I've seen some flame wars on this topic... :)
I was just posting the iptables commands needed to result in the
"iptables -L" output that the firewall GUI of the OP had created.
Unless you add some rules for OUTPUT, you have to have it default to ACCEPT.
Since this is a desktop with a GUI, it doesn't matter whether FORWARD
defaults to ACCEPT or DROP.
Although I prefer and use DROP for INPUT, the reasoning of the GUI
developer/maintainer must be that having "$IPTABLES --append INPUT
--jump DROP" as the last INPUT rule makes the ACCEPT default safe.
More information about the users