From: Robb Bossley <robb.bossley@gmail.com>
To: netfilter@lists.netfilter.org
Subject: A Simple Question
Date: Tue, 9 Aug 2005 20:11:52 -0400 [thread overview]
Message-ID: <5c685153050809171164af25e4@mail.gmail.com> (raw)
I have been using Linux for quite some time, and I really enjoy the
power that is available with netfilter. Thank you for all of your
input into the development and testing of it.
I have used other people's scripts to configure my firewall for a
number of years, though I usually rolled my own kernels for this.
I have been reading the mailing list posts and it seems that most of
you who are very knowledgeable with netfilter would propose a default
policy of DROP on both the INPUT and FORWARD chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
However, I have noticed that a number of what I would consider to be
strong contenders in the market use default policies of ACCEPT and
then have a DROP rule at the end of the tables / chain.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
...................................(other stuff here)..........................
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
I'm confused. Which is preferred for security and why? (Or is this
just six of one, half a dozen of another?)
--
As if you could kill time without injuring eternity. The mass of men
live lives of quiet desperation.
- Henry David Thoreau
next reply other threads:[~2005-08-10 0:11 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-10 0:11 Robb Bossley [this message]
2005-08-10 19:58 ` A Simple Question /dev/rob0
2005-08-11 5:54 ` Jan Engelhardt
2005-08-12 5:27 ` Grant Taylor
-- strict thread matches above, loose matches on Subject: below --
2004-08-19 17:58 A simple question Hudson Delbert J Contr 61 CS/SCBN
2004-08-19 17:47 Daniel Chemko
2004-08-19 17:14 Daniel Chemko
2004-08-19 17:31 ` Nick Drage
2004-08-19 15:15 Hudson Delbert J Contr 61 CS/SCBN
2004-08-19 11:04 Jason Opperisano
2004-08-19 2:36 Sudheer Divakaran
2004-08-19 4:18 ` Mark E. Donaldson
2004-08-19 8:39 ` Torsten Luettgert
2004-08-19 4:52 ` Dhananjoy Chowdhury
2004-08-19 15:46 ` Erick Sanz
2004-04-06 2:25 Gianni Pucciani
2004-04-05 22:40 ` Antony Stone
2004-04-06 13:26 ` Gianni Pucciani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5c685153050809171164af25e4@mail.gmail.com \
--to=robb.bossley@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox