On Don, 2004-08-19 at 06:18, Mark E. Donaldson wrote: > As you might expect, it is quite easy to DOS the firewall itself > when OUTPUT is set to DROP. And that is not a real good idea. Please elaborate - why is it easy to DOS the firewall if the output policy is DROP? You don't mean icmp/source-quench not getting delivered or something? > However, having said that, close scrutiny must be paid to what you > allow out of the firewall and the necessary rules must be in place. ...which is why I personally use DROP as default policy for all chains and explicitly allow everything I think necessary :-) The only exception is in the mangle table, where I use ACCEPT policies and just filter out the obvious spoofs, unclean frames etc. Greetings, Torsten
