On 02/13/15 23:27, Gordon Messmer wrote:
On 02/12/2015 08:14 PM, dE wrote:
Looking at the default policies of various zones, I've come to
realize that only the drop zone has an affect, that's because this's
the only one which drops unmatched packets.
I'm not sure what you mean, but most firewall sets for iptables follow
the same pattern. First, allow packets which are part of an
established connection, or related to an established connection (such
as an FTP data connection). Next, allow new connections by local
policy. Finally, drop or reject everything else.
The first and last parts are fairly standard. Some tools will set the
policy to DROP, where firewalld instead terminates the rule set with a
DROP for invalid packets and REJECT for the rest.
If your point is that the INPUT table policy doesn't have an effect,
that is by design. A DROP policy is not required, and it means that
if a local admin resets the rule set in order to reload it, there
won't be a moment where the POLICY is DROP and there are no ACCEPT
rules, leaving the system potentially inaccessible.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
But firewalld has no affect. All ports are open.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos