At 02:15 AM 7/4/00 EDT, [EMAIL PROTECTED] wrote:
>Sorry, no I don't think so. If you set input to DENY, then input is
>DENIED. No rule you put after that makes any difference. Read the fine
>man page. man ipchains is pretty good. What I said was, if you don't
>specify an interface, the rule applies to any and all interfaces. DENY
>is final. That is the last you will hear from that packet.
Depends on what the original poster means by "set". If he means set the
default policy to DENY ... the default policy gets checked only *after* all
the specific rules get run, so he can easily open specific sources,
destinations, ports, or whatever with specific rules. If, on the other hand,
he begins with a broad DENY *rule* (as distinct from a DENY *policy*), that
rule will be at the top of the ruleset (unless he explicitly inserts it
elsewhere) and will block all traffic before it gets to the rest of the rules.
So ... the problem here is an ambiguity in the original question.
The actual problem that started this ... setting up rules specific to the
ppp interface ... remains, and for some rules (anti-spoofing is the obvious
example) there are good reasons to make them interface specific. I'll try
later to come up with a suggestion for that part ... that one isn't a
top-of-my-head solution, though I'm pretty sure there is one.
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
