Tue, 1 Jan 2002 09:45:08 -0600
On Mon, Dec 31, 2001 at 04:36:52PM -0500, Walter Mundt wrote:
> You put the deny-by-default policy in your 'filter' table, where all
> "filtering out" of packets is designed to go. Every packet not operating
> through 'lo' goes through exactly one filter table in passing through the
> firewall. Forwarded packets go thru FORWARD, outgoing (from the firewall
> itself) go thru OUTPUT, and packets routed to the firewall go to INPUT.
> Basically, the 'mangle' table should only have rules that change a packet,
> and the 'nat' table should only have NAT rules. DROPping packets or
> REJECTING them appropriately belongs in the 'filter' tables.
That's the way I always understood it, but I've got the new "Linux Firewalls"
book here which sets default mangle and nat policies to DROP.
Guess that means you can't believe everything you read:-)
Thanks - Jeff