On Tue, 28 Oct 2003, Knight, Steve wrote: > Hi there > > Rh9 has installed all the default filter policies as "accept" and then > forwards all packets from INPUT and FORWARD to a Lokkit chain. > > Is this normal? It seems to me [as a iptables n00b, although I am > checkpoint certified] to be ok, as eventually the traffic is hitting the > detailed lokkit chain, but is this the default install options that everyone > gets? it seems that it's just a philosophical difference. you can set the DENY policy, then explicitly accept only what you want, or as RH did, accept everything only to pass it all to a user-defined chain that effectively does the same thing. personally, i'd rather see a DENY policy so that, if i somehow messed up some of my rules, i'm more likely to be *more* restrictive than less restrictive. but RH's approach seems no worse, just different. rday
