On Fri, May 23, 2008 at 12:25 PM, Joseph L. Casale <JCasale at activenetwerx.com> wrote: > In terms of Cisco ACL's, how does > iptables work, does it simply continue processing until it sees something explicitly > denying if the default policy is ACCEPT, versus DROP, will it continue processing until > it sees something explicitly allowing? iptables will process rules until a match. If the match is -j ACCEPT/REJECT/DROP, it will end processing there. If it's -j another_chain, it will jump to the other chain. If it matches a rule in the other chain with -j ACCEPT/REJECT/DROP, it will stop processing there. Otherwise, if no rules in this inner chain matches, it will resume processing in the outer chain just after the rule which jumped to the inner chain. >>#Finally dropping all other traffic (positive list firewall): >>iptables -P INPUT DROP >>iptables -P OUTPUT DROP >>iptables -P FORWARD DROP > So here you know restate the default policy? I thought you could only define this once? You define the default policy for every built-in chain: INPUT, OUTPUT and FORWARD. > Does this -F not reset the above stated policy? No, it doesn't. HTH, Filipe