A Simple Question

/dev/rob0 rob0 at gmx.co.uk
Wed Aug 10 21:58:43 CEST 2005


On Tuesday 2005-August-09 19:11, Robb Bossley wrote:
> I have been reading the mailing list posts and it seems that most of
> you who are very knowledgeable with netfilter would propose a default
> policy of DROP on both the INPUT and FORWARD chains.
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP

Yes, but ...

> However, I have noticed that a number of what I would consider to be
> strong contenders in the market use default policies of ACCEPT and
> then have a DROP rule at the end of the tables / chain.
>
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> ...................................(other stuff
> here).......................... iptables -A INPUT -j DROP
> iptables -A FORWARD -j DROP

... this is simply another means to the same end.

> I'm confused.  Which is preferred for security and why?  (Or is this
> just six of one, half a dozen of another?)

It all depends on the "other stuff" in the middle. At my most complex 
site, I went for default ACCEPT policies because I had multiple types 
of internal interfaces. Even those have varying needs. It just seemed 
that an ACCEPT policy would be the simplest way to get the job done. 
Everything we don't want is dropped (or rejected), everything we do 
want is accepted.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list