iptables support?

Tim ignored_mailbox at yahoo.com.au
Sat Dec 10 09:35:38 UTC 2005


Tim:
>> ## Set default (policy) rules:
>>
>> iptables --policy INPUT DROP
>> iptables --policy OUTPUT ACCEPT
>> iptables --policy FORWARD ACCEPT
>>
>> Specific rules follow on from here.  Some to explictly deny things I
>> want to take precautions against, and some to allow things I want.

Res:
> This might be fine for a home machine, there are situations where
> policy in should be allowed and accept rules then deny rules, this is
> important if you run iptables on a high loaded server, you will vety
> quickly

Care to finish that sentence off?  I can only guess at what you might
have said.

Though, I would have thought that on a server you really wouldn't want a
default input accept policy.  You'd have to be *very* *sure* that
everything on that server was internally ignoring connections that
shouldn't be allowed to the outside world.  At least a default deny/drop
incoming policy gives you some measure of protection against surprises.

-- 
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.




More information about the fedora-list mailing list