iptables question

Bill Davidsen davidsen at tmr.com
Wed Aug 18 20:48:40 UTC 2010

JD wrote:
>   On 08/18/2010 01:06 PM, Tom H wrote:
>> On Tue, Aug 17, 2010 at 9:31 PM, Genes MailLists<lists at sapience.com>  wrote:
>>> On 08/17/2010 02:08 AM, Tom H wrote:
>>>   #! /bin/sh
>>>> IPTABLES="/sbin/iptables"
>>>> $IPTABLES --table filter --policy INPUT ACCEPT
>>>> $IPTABLES --table filter --policy FORWARD ACCEPT
>>>> $IPTABLES --table filter --policy OUTPUT ACCEPT
>>>    Not saying I'm commenting on the wisdom of the rules one way or
>>> another - just asking - Does one really want default policy of accept on
>>> all of these ?
>> I've seen some flame wars on this topic... :)
>> I was just posting the iptables commands needed to result in the
>> "iptables -L" output that the firewall GUI of the OP had created.
>> Unless you add some rules for OUTPUT, you have to have it default to ACCEPT.
>> Since this is a desktop with a GUI, it doesn't matter whether FORWARD
>> defaults to ACCEPT or DROP.
>> Although I prefer and use DROP for INPUT, the reasoning of the GUI
>> developer/maintainer must be that having "$IPTABLES --append INPUT
>> --jump DROP" as the last INPUT rule makes the ACCEPT default safe.
> That sounds similar to what I had read many years ago
> when I was running freebsd.
> I was advised to start the INPUT of the ipfw rules in promiscuous mode,
> and button them up and end with the final rule to drop or reject.
The only problem with that comes as soon as you start to tune the rules. If you 
somehow change or delete the final rule you are wide open, and because it *must* 
be the final rule people do put things after it and wonder why they don't work. 
Other rules must be inserted to work. Thus I like DROP, unless the whole setup 
is managed by the GUI. Even then default to safe makes me happier.

> If the rule is started with a reject or a drop, then that is the final 
> resolution
> of the packet, right? no further rule match is attempted. Is this correct?

Correct, that's the end of it.

Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the users mailing list