A Simple Question
robb.bossley at gmail.com
Wed Aug 10 02:11:52 CEST 2005
I have been using Linux for quite some time, and I really enjoy the
power that is available with netfilter. Thank you for all of your
input into the development and testing of it.
I have used other people's scripts to configure my firewall for a
number of years, though I usually rolled my own kernels for this.
I have been reading the mailing list posts and it seems that most of
you who are very knowledgeable with netfilter would propose a default
policy of DROP on both the INPUT and FORWARD chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
However, I have noticed that a number of what I would consider to be
strong contenders in the market use default policies of ACCEPT and
then have a DROP rule at the end of the tables / chain.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
...................................(other stuff here)..........................
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
I'm confused. Which is preferred for security and why? (Or is this
just six of one, half a dozen of another?)
As if you could kill time without injuring eternity. The mass of men
live lives of quiet desperation.
- Henry David Thoreau
More information about the netfilter