martin f krafft a écrit :
on the basis that it's not okay to drop bad packets before accepting good packets, the following would not be okay even though they're logically equivalent?
I want to make things clear : dropping packets first is not bad ; what is bad is accepting packets with the assumption that they meet certain requirements based on the fact that packets wich don't meet these requirements were dropped or rejected before by a previous rule.
accept ESTABLISHED,RELATED drop INVALID accept NEW --dport ssh --syn drop
Good. All the requirements are in the accept rule, so it does not rely on previous drop rules.
and accept ESTABLISHED,RELATED drop INVALID drop ! NEW drop ! --syn accept --dport ssh drop
Very bad ! The accept rule relies on previous drop rules.Ideally, you should not need any drop rules except at the very end of the chain (or as the chain default policy, which of course must be DROP). However you may have some drop rules for performance issues, to avoid examination of the remaining rules. For instance, if you have a user-defined chain containing all the rules for a given interface, you can append a drop rule at the end of this chain so rules for other interfaces are not examined.