A Simple Question

Robb Bossley robb.bossley at gmail.com
Wed Aug 10 02:11:52 CEST 2005

I have been using Linux for quite some time, and I really enjoy the
power that is available with netfilter.  Thank you for all of your
input into the development and testing of it.

I have used other people's scripts to configure my firewall for a
number of years, though I usually rolled my own kernels for this.

I have been reading the mailing list posts and it seems that most of
you who are very knowledgeable with netfilter would propose a default
policy of DROP on both the INPUT and FORWARD chains.

iptables -P INPUT DROP
iptables -P FORWARD DROP
However, I have noticed that a number of what I would consider to be
strong contenders in the market use default policies of ACCEPT and
then have a DROP rule at the end of the tables / chain.

iptables -P INPUT ACCEPT
...................................(other stuff here)..........................
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

I'm confused.  Which is preferred for security and why?  (Or is this
just six of one, half a dozen of another?)
As if you could kill time without injuring eternity.  The mass of men
live lives of quiet desperation.
- Henry David Thoreau

More information about the netfilter mailing list