[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fw: Re: policy DROP and 1 rule

Begin forwarded message:

Date: Sat, 16 Nov 2002 01:14:41 +0100
From: Alexander Girgis <girgisar@swt.uni-stuttgart.de>
To: debian-firewall@lists.debian.org
Subject: Re: policy DROP and 1 rule


> hi, when i set the INPUT policy of DROP and then insert a rule -A
> INPUT -s lan-machine -j ACCEPT ,the lan machine normally must be
> able to ping the firewalled machine? 

you are perfectly right with this, the "lan-machine" will be able to
send a ping request (or anything else) to the firewalled machine and
it will be accepted. If you don't get any answers from the firewalled
machine this might be caused by the OUTPUT chain dropping the answers
of the firewalled machine.

sorry, but all my debian-machines with iptables have all policys set to ACCEPT,the only policy i changed is INPUT in the filter table (default table),and the one-and-only rule accept from a destination all protocols( -A INPUT -s some-box -j ACCEPT) .the OUTPUT policy is set to ACCEPT and no other rule in no other table is set,but ping and anything else doesnt go?and that is on all my machines with iptables?
To see ping (and everything else) working you have to ensure both:
- The requests reaching the firewalled machine (as you actually did)
- The answers being able to leave the firewalled machine

> with this syntax the -p option is default set to "all". so icmp is
> also under "all" to find ,or i am wrong?

No, you are not wrong. This is perfectly right.


Attachment: 00000000.mimetmp
Description: PGP signature

Reply to: