iptables question
JD
jd1008 at gmail.com
Wed Aug 18 20:18:01 UTC 2010
On 08/18/2010 01:06 PM, Tom H wrote:
> On Tue, Aug 17, 2010 at 9:31 PM, Genes MailLists<lists at sapience.com> wrote:
>> On 08/17/2010 02:08 AM, Tom H wrote:
>> #! /bin/sh
>>> IPTABLES="/sbin/iptables"
>>> $IPTABLES --table filter --policy INPUT ACCEPT
>>> $IPTABLES --table filter --policy FORWARD ACCEPT
>>> $IPTABLES --table filter --policy OUTPUT ACCEPT
>> Not saying I'm commenting on the wisdom of the rules one way or
>> another - just asking - Does one really want default policy of accept on
>> all of these ?
> I've seen some flame wars on this topic... :)
>
> I was just posting the iptables commands needed to result in the
> "iptables -L" output that the firewall GUI of the OP had created.
>
> Unless you add some rules for OUTPUT, you have to have it default to ACCEPT.
>
> Since this is a desktop with a GUI, it doesn't matter whether FORWARD
> defaults to ACCEPT or DROP.
>
> Although I prefer and use DROP for INPUT, the reasoning of the GUI
> developer/maintainer must be that having "$IPTABLES --append INPUT
> --jump DROP" as the last INPUT rule makes the ACCEPT default safe.
That sounds similar to what I had read many years ago
when I was running freebsd.
I was advised to start the INPUT of the ipfw rules in promiscuous mode,
and button them up and end with the final rule to drop or reject.
If the rule is started with a reject or a drop, then that is the final
resolution
of the packet, right? no further rule match is attempted. Is this correct?
More information about the users
mailing list