On January 22, 2004 05:48 am, Technical wrote: > > Technical wrote: > >> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > For this chain (presumably packets inbound to the network), accept any > > packets that are part of established TCP connections (ie: a SYN packet > > for the connection has gone out from the network), or related to UDP > > packets that have gone out through the firewall. > > > >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > > > Otherwise, reject the packet by sending back an ICMP message telling the > > remote host that communication with its intended target is > > administratively prohibited. > > > > > > HTH > > Alex Satrapa > > If the default is that iptables to reject all packets that cannot not be > deall with any of the previous rules, why would somemone use the last > rule?? am I missing something?? The reply with host-prohibited is used to send a different ICMP response than would normally be sent (policy DROP doesn't reply) ... I believe also that the core tables in a RH firewall are *not* set DROP -- they do that in the user chains they create. .... but thats hearsay so I don't count it 100% accurate. Alistair.
