From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Mark E. Donaldson" Subject: RE: A simple question Date: Wed, 18 Aug 2004 21:18:54 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: References: <41241244.40804@svw.com> Reply-To: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <41241244.40804@svw.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: 'Sudheer Divakaran' , 'Netfilter mailing list' In almost all IP Tables articles I've found that the default policy of all tables (INPUT,OUTPUT,FORWARD) set to DROP. I can understand it as far as INPUT and FORWARD tables are concerned, but I do not understand why should we set the default policy of OUTPUT chain to DROP. OUTPUT chain is responsible for packets originating from the firewall itself. Whay should we DROP it? Thanks, Sudheer What you say is indeed correct. Most of the articles on the subject do recommend a default DROP on all three tables. However, I personally do set my OUTPUT default to ACCEPT, while my FORWARD and INPUT are definitely set to DROP. As you might expect, it is quite easy to DOS the firewall itself when OUTPUT is set to DROP. And that is not a real good idea. However, having said that, close scrutiny must be paid to what you allow out of the firewall and the necessary rules must be in place.