On 02/12/2015 08:14 PM, dE wrote:
Looking at the default policies of various zones, I've come to realize that only the drop zone has an affect, that's because this's the only one which drops unmatched packets.
I'm not sure what you mean, but most firewall sets for iptables follow the same pattern. First, allow packets which are part of an established connection, or related to an established connection (such as an FTP data connection). Next, allow new connections by local policy. Finally, drop or reject everything else.
The first and last parts are fairly standard. Some tools will set the policy to DROP, where firewalld instead terminates the rule set with a DROP for invalid packets and REJECT for the rest.
If your point is that the INPUT table policy doesn't have an effect, that is by design. A DROP policy is not required, and it means that if a local admin resets the rule set in order to reload it, there won't be a moment where the POLICY is DROP and there are no ACCEPT rules, leaving the system potentially inaccessible.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
