A Simple Question

Grant Taylor gtaylor at riverviewtech.net
Fri Aug 12 07:27:44 CEST 2005

Robb Bossley wrote:
> I have been using Linux for quite some time, and I really enjoy the
> power that is available with netfilter.  Thank you for all of your
> input into the development and testing of it.
> I have used other people's scripts to configure my firewall for a
> number of years, though I usually rolled my own kernels for this.
> I have been reading the mailing list posts and it seems that most of
> you who are very knowledgeable with netfilter would propose a default
> policy of DROP on both the INPUT and FORWARD chains.
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> However, I have noticed that a number of what I would consider to be
> strong contenders in the market use default policies of ACCEPT and
> then have a DROP rule at the end of the tables / chain.
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> ...................................(other stuff here)..........................
> iptables -A INPUT -j DROP
> iptables -A FORWARD -j DROP
> I'm confused.  Which is preferred for security and why?  (Or is this
> just six of one, half a dozen of another?)

IMHO both methods are just about equally as effective.  However I believe that by using the default policy of a chain you can save adding a rule that must be traversed and thus make the processing just slightly faster.  On the other hand you can only set default policies on built in chains and thus you must do your own ""policy equivalent at the end of user defined chains with the rules that you have noticed.  Thus for uniformity it may just be easier for some firewall authors to stick with the method that they know will work in EVERY chain than to have to remember which chain they are in.  To me this issue is really 5.5 of one dozen and 6.5 of another, close but not exactly the same.

Grant. . . .

More information about the netfilter mailing list