general policy question

general policy question

[patrick conlin]

does one generally set the -P on their mangle table chains to DROP, even if
you're not using them for anything?

usual procedure says set -P on all chains to DROP and allow what's
necessary, but if you're not using your mangle table chains for anything and
you set -P to DROP (on the iptables -t mangle PREROUTING chain, for example)
all packets get dropped.

you guessed it, I just did this and got booted from the machine. Now I have
to wait until I can go home and reboot my firewall before I can play with it
any more.

Just wondering how everyone else handles this.

-=p=-

general policy question

[patrick conlin]

does one generally set the -P on their mangle table chains to DROP, even if
you're not using them for anything?

usual procedure says set -P on all chains to DROP and allow what's
necessary, but if you're not using your mangle table chains for anything and
you set -P to DROP (on the iptables -t mangle PREROUTING chain, for example)
all packets get dropped.

you guessed it, I just did this and got booted from the machine. Now I have
to wait until I can go home and reboot my firewall before I can play with it
any more.

Just wondering how everyone else handles this.

-=p=-

Re: general policy question

[Antony Stone]

On Friday 07 June 2002 3:35 pm, patrick conlin wrote:

> does one generally set the -P on their mangle table chains to DROP, even if
> you're not using them for anything?

No.   Mangle tables are for mangling.   Nat tables are for address 
translating, and Filter tables are for filtering.   DROP is a filter 
operation, therefore it belongs only in the filter tables.

> usual procedure says set -P on all chains to DROP and allow what's
> necessary,

Yes, but that's just being being sloppy in their description and not saying 
"all chains in the filter table"...

> but if you're not using your mangle table chains for anything
> and you set -P to DROP (on the iptables -t mangle PREROUTING chain, for
> example) all packets get dropped.

Yes :-)

The reason ?   All packets have to pass through the mangle, nat and filter 
tables in order to traverse the entire system.   If any one of those tables 
DROPsthe packet, that's it - it's DROPped !

> Just wondering how everyone else handles this.

Don't try to filter using the mangle table :-)


Antony.

Re: general policy question

[Ramin Alidousti]

On Thu, Jun 06, 2002 at 05:44:21PM -0400, patrick conlin wrote:

> does one generally set the -P on their mangle table chains to DROP, even if
> you're not using them for anything?
> 
> usual procedure says set -P on all chains to DROP and allow what's
> necessary,

Apparently they meant the "filter" table and not mangle or nat.

Ramin

> but if you're not using your mangle table chains for anything and
> you set -P to DROP (on the iptables -t mangle PREROUTING chain, for example)
> all packets get dropped.
> 
> you guessed it, I just did this and got booted from the machine. Now I have
> to wait until I can go home and reboot my firewall before I can play with it
> any more.
> 
> Just wondering how everyone else handles this.
> 
> -=p=-
>