On 02/13/15 23:27, Gordon Messmer wrote: > On 02/12/2015 08:14 PM, dE wrote: >> Looking at the default policies of various zones, I've come to >> realize that only the drop zone has an affect, that's because this's >> the only one which drops unmatched packets. > > I'm not sure what you mean, but most firewall sets for iptables follow > the same pattern. First, allow packets which are part of an > established connection, or related to an established connection (such > as an FTP data connection). Next, allow new connections by local > policy. Finally, drop or reject everything else. > > The first and last parts are fairly standard. Some tools will set the > policy to DROP, where firewalld instead terminates the rule set with a > DROP for invalid packets and REJECT for the rest. > > If your point is that the INPUT table policy doesn't have an effect, > that is by design. A DROP policy is not required, and it means that > if a local admin resets the rule set in order to reload it, there > won't be a moment where the POLICY is DROP and there are no ACCEPT > rules, leaving the system potentially inaccessible. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos But firewalld has no affect. All ports are open.