On Mon, Sep 29, 2003 at 01:45:52PM -0400, Parker Morse wrote: > I'm not the best person to be asking about firewalls, but: > > I think you're confused about the way OUTPUT works. It acts on any > packets sent out by your system. Unless you are concerned about how > users of your system are going to be using it, you're creating more > problems than you're solving by having too many rules on OUTPUT. Unlike > INPUT, where you don't know what's coming in from outside, you're > better off with a permissive policy (only blocking ports which cause > trouble, instead of only opening ports you need) on OUTPUT. "Better off" is subjective. Having a permissive policy on the OUTPUT chain is certainly less work for the admin. But I lock all chains down cuz then I have to force myself to write the rules I need to get packets out as well as in. I like knowing what my firewall is set to do rather than take it on faith. -- Jack Bowling mailto: jbinpg@xxxxxxx -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
