[CentOS] firewalld default policy = allow = no affect.

Tue Feb 17 03:39:43 UTC 2015
dE <de.techno at gmail.com>

On 02/13/15 23:27, Gordon Messmer wrote:
> On 02/12/2015 08:14 PM, dE wrote:
>> Looking at the default policies of various zones, I've come to 
>> realize that only the drop zone has an affect, that's because this's 
>> the only one which drops unmatched packets. 
>
> I'm not sure what you mean, but most firewall sets for iptables follow 
> the same pattern.  First, allow packets which are part of an 
> established connection, or related to an established connection (such 
> as an FTP data connection).  Next, allow new connections by local 
> policy.  Finally, drop or reject everything else.
>
> The first and last parts are fairly standard.  Some tools will set the 
> policy to DROP, where firewalld instead terminates the rule set with a 
> DROP for invalid packets and REJECT for the rest.
>
> If your point is that the INPUT table policy doesn't have an effect, 
> that is by design.  A DROP policy is not required, and it means that 
> if a local admin resets the rule set in order to reload it, there 
> won't be a moment where the POLICY is DROP and there are no ACCEPT 
> rules, leaving the system potentially inaccessible.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

But firewalld has no affect. All ports are open.