iptables question

[Tom H]

On Wed, Aug 18, 2010 at 4:18 PM, JD <jd1008 at gmail.com> wrote:
>  On 08/18/2010 01:06 PM, Tom H wrote:
>> On Tue, Aug 17, 2010 at 9:31 PM, Genes MailLists<lists at sapience.com>  wrote:
>>> On 08/17/2010 02:08 AM, Tom H wrote:
>>>>
>>>> IPTABLES="/sbin/iptables"
>>>> $IPTABLES --table filter --policy INPUT ACCEPT
>>>> $IPTABLES --table filter --policy FORWARD ACCEPT
>>>> $IPTABLES --table filter --policy OUTPUT ACCEPT
>>>
>>> Not saying I'm commenting on the wisdom of the rules one way or
>>> another - just asking - Does one really want default policy of accept on
>>> all of these ?
>>
>> I've seen some flame wars on this topic... :)
>>
>> I was just posting the iptables commands needed to result in the
>> "iptables -L" output that the firewall GUI of the OP had created.
>>
>> Unless you add some rules for OUTPUT, you have to have it default to ACCEPT.
>>
>> Since this is a desktop with a GUI, it doesn't matter whether FORWARD
>> defaults to ACCEPT or DROP.
>>
>> Although I prefer and use DROP for INPUT, the reasoning of the GUI
>> developer/maintainer must be that having "$IPTABLES --append INPUT
>> --jump DROP" as the last INPUT rule makes the ACCEPT default safe.
>
> That sounds similar to what I had read many years ago
> when I was running freebsd.
> I was advised to start the INPUT of the ipfw rules in promiscuous mode,
> and button them up and end with the final rule to drop or reject.
>
> If the rule is started with a reject or a drop, then that is the final resolution
> of the packet, right? no further rule match is attempted. Is this correct?

When a packet is inspected, matches are checked from top to bottom for
tables and chains and from left to right for rules.

If a packet matches a rule, then the rule's target is applied to that
packet and the following rules of that chain are skipped.

If a packet doesn't match any rule in a chain, then the default policy
of that chain is applied to that packet.