On Sunday 03 November 2002 9:23 am, Robert P. J. Day wrote: > On Sat, 2 Nov 2002, Rob wrote: > > > > You should never set any default policy other than ACCEPT on > > > > a nat or mangle table. > > > > > > > > I sometimes think it was a bad idea even to make it possible. > > > > > > No, I don't think so. It's hard for beginners, yes. But once > > > >you understand > > > what iptables is capable of (compared to other commercial products) > > > you actually are glad that there is a product giving you control over > > > everything. > > > Defining the policies for every chain is such a freedom. > > > > > Can you think of a situation where it would be a good idea to set > > a default > > policy other than ACCEPT for a nat or mangle table ? > > > > Antony. > > perhaps i missed an earlier response to this, but what is the > effect of setting a DROP policy on a nat or mangle chain? > does this mean that any packet that matches a mangle or nat rule > will be, not mangle'd or nat'ed, but dropped? No, but you're close. It means that any packet which does *not* match a mangle or nat rule will be dropped. The ones which do match a rule will do whatever that rule says. > sorry if this question has an obvious answer, but assigning a > default policy to anything but the filter table is woefully > under-documented. IMHO the only documentation it needs is "don't". :-) Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac
