On Monday, 28.02.2005 at 17:26 +0100, Ansgar -59cobalt- Wiechers wrote: > On 2005-02-28 aspenbr@yahoo.com.br wrote: > > I have one I doubt, which advantage and desvantagen of define chain > > FORWARD as standard ACCEPT . > > Not sure if I understand your question correctly. Are you asking if it > is a good idea to use ACCEPT as the default policy in the FORWARD > chain? If that's your question, the answer is no. Unless you know > exactly what you are doing, the default policy for *any* chain should > be DROP. Correct. You should probably set the default policy for the NAT and MANGLE stuff to ACCEPT, though, because that's not where you filter stuff, it's where you *change* the packets. My firewall rulesets always start: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT Dave. -- Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature