On Mon, 2003-03-24 at 16:43, Ales Stibal wrote: > IMO is better to set DROP as default policy and allow only the traffic > you *really* need. > I use DROP for INPUT and FORWARD. I have ACCEPT for OUTPUT on my home box. > This approach will fit nearly all easy installations. I can almost guarantee that if you set the default policies to DROP you will lock yourself out of the machine sometime :) I usually add a -j DROP rule at the end instead so that if I get the not so bright idea to flush the INPUT chain I won't be locked out. The downside is that you can't just append rules with -A since the -j DROP rule will drop the packets before the newly appended rules are checked. IIRC someone sent a patch quite some time ago that made it possible to write something like this to add a rule second last in the chain: iptables -I INPUT -2 -s x.x.x.x -j ACCEPT I can find that quite usefull so I'll see if I can find that patch and convince Harald into accepting it :) -- /Martin
