On Fri, May 20, 2005 at 07:38:57AM +0200, Chadley Wilson wrote:
> Would it be safe to set the OUTPUT default policy to ACCEPT?
> Every time I set it to DROP I get locked out, I suppose it has to do with the
> fact that I have no rules for the OUTPUT chain.
well, if you're not going to add any rules to OUTPUT, then--yeah, leave
it at ACCEPT. the OUTPUT policy as ACCEPT or DROP is really more of an
idealogical debate than anything else. personally, i set mine to DROP
and only allow the traffic that is absolutely necessary to save me from
myself (i.e. don't tempt the fw admin to use the fw as a shell
account). things i deem necessary to allow out:
DNS
NTP
FTP/HTTP to update server IP's
ICMP
this is all politic, i don't intend any decree by the statements made
here.
-j
--
"Lois: What's going on?
Stewie: We're playing house.
Lois: The boy is all tied up.
Stewie: Roman Polanski's house."
--Family Guy
