Mart Frauenlob írta:
More continuous would be IMHO:
- filter table - DROP allowed and right - DROP policy = good
- mangle table - DROP prohibited - DROP policy = prohibited
- nat table - DROP prohibited - DROP policy = prohibited
- raw table - DROP allowed and right for avoiding conntrack - DROP
policy = prohibited
If I follow you then I would say that we do not need any policy in
mangle, nat, raw table...
Just simply accept any packet..
Again, why allow, what is considered wrong?
If you know what you are doing, filtering in the nat table will do
what you want, because you know about the special behaviour.
Only the lack of knowledge makes things go wrong.
(nod)
And that is the point. If you know iptables, you do your filtering in
the filter table, or in the raw table (to avoid conntrack for some
blacklist kind of stuff).
Maybe we could delete that conntrack entry if we drop a packet in the
filter table...
Many of them are unexperienced. Therefor the concept should be clear,
continuous and error messages should be understandable.
(nod)
Preventing the user from doing nonsense. It's about the security, not
some trivial thing...
(nod)(nod)
Well, just thoughts about my favorite software... :)
lol
One more thing...
If there is no policy in the tables (except filter) then the ACCEPT
target is (MAYBE) useless in those tables...
Swifty
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
