I have some details and quibbles, Dax.
First there is no iptables DENY rule. This is now "DROP". From the
netfilter web site: "The DENY target is now DROP, finally." This
rule simply drops the packet on the floor and does nothing at all
with it.
Second, more amplification of the above from the netfilter web site
regarding REJECT, now an optional module:
> REJECT
> This module has the same effect as `DROP', except that the sender
> is sent an ICMP `port unreachable' error message. Note that the
> ICMP error message is not sent if (see RFC 1122):
>
> * The packet being filtered was an ICMP error message in the first
> place, or some unknown ICMP type.
> * The packet being filtered was a non-head fragment.
> * We've sent too many ICMP error messages to that destination
> recently (see /proc/sys/net/ipv4/icmp_ratelimit).
>
> REJECT also takes a `--reject-with' optional argument which alters
> the reply packet used: see the manual page."
This may be the root of the misunderstanding about this issue.
(It MAY be that bowing to pressure from the cromagnon community
DENY may be a valid synonym for DROP. DROP is, however, the
proper symantics.)
{^_^}
----- Original Message -----
From: "Dax Kelson" <dax@gurulabs.com>
> IMO, the following stateful rules work well and simplify things a great
> deal when using a default DENY policy.
>
> iptables -P INPUT DENY
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
....
--
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
