On Sun, Jul 22, 2001 at 01:33:11PM -0500, Matthew Garman wrote: > This makes sense to me, but in a lot of example firewalls I've seen > floating around the 'net, they have explicit DROP rules (in addition to > setting the default policy to DROP). This seems redundant to me---if you > DROP everything by default, why would you need to explicity set even more > DROP rules?
This is useful if you by for instance only want to ACCEPT everything from a specific subnet EXCEPT a single host. You would then insert a DROP condition for that single host followed by an ACCEPT for the subnet. No redundancy and maximum readability. -- Salu2, S�ren.
