> I'd like to add the ability to use the REJECT target as a default policy > to the netfilter / iptables wishlist. > > Using REJECT as a default is currently possible as a kludge a few steps > would be saved by allowing it as a default policy. Perhaps that might > even speed up some filtering in some cases. > > A good (IMHO) discussion of DROP vs REJECT has been written by Peter Benie : > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > So change: :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] To: :INPUT REJECT [0:0] :FORWARD REJECT [0:0] :OUTPUT REJECT [0:0] I'm not really seeing the added value myself. I think it could have a negative benefit to many who use the chains and expect the default rule to be ACCEPT in order to fall through to the next rule. Or am I not seeing your bigger picture of how REJECT would affect the sub chains? Gary Smith -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
